Writeup on nbc.com distributing Citadel malware

Every now and then, an incident occurs in the SOC (Security Operation Center) that really captures everyone involved’s imagination. NBC’s websites getting hacked, is just one case, in point. Image

At 16:43 CET, this afternoon we noticed that the NBC.com website links to the redkit exploit kit that is spreading Citadel malware, targeting US financials institutions. This version of Citadel is only recognizable by 3 out of the 46 antivirus programs on virustotal.com.


It has been shown before (with Dutch news site nu.nl, for example, along with the recent incidents at the New York Times and Wall Street Journal), targeting media and news websites can vastly improve an attacker’s chances of success. Users presume these large organizations websites to be free from malware. If an attacker can gain access to these web servers, they can use them to distribute malware to every visitor of that web server.


The flow of the attack looks like this:

An iframe (on nbc.com) loads a webpage that tries to download and execute a malicious JAR file as well as a malicious PDF.

hxxp://finesseindia.com/332.jar & hxxp://finesseindia.com/987.pdf

Many more different URLs have been used in the coming hours after the first sign of the attack was detected.

The Citadel malware distributed is configured to manipulate traffic to and from the banking sites of the following banks amongst others:

  • Wells Fargo
  • USAA
  • Citibank
  • Bank of America
  • TD Ameritrade
  • Suntrust
  • Navy Federal Credit Union
  • Citizensbank Online
  • Fifth Third Bank
  • PNC
  • Chase
  • Schwab
  • American Express

The malware was no longer served at 21:28 CET.

This isn’t the first time a major website is compromised and starts spreading malware, and we don’t presume its the last. Be wary.

Barry Weymes et al.

Credit to Yonathan Klijnsma and Lennart Haagsma for discovery.

18 thoughts on “Writeup on nbc.com distributing Citadel malware

  1. can you please tell me which plugin/software are you using in the top most screenshot to view the different URL and hits on them and their response? What is the name of that plugin/package? Thanks!

      • The little S with Ø says the NoScript plugin to me, but I could be wrong. It’s been a little while since I have used either NoScript of Firebug.

  2. Pingback: Situs NBC.com Diinfeksi RedKit Malware | CISO Magazine | Information Security Resources

  3. Pingback: Boot up: Sony’s PS4 misstep, hacking everywhere, Samsung copy/paste redux, and more | auicon.com

  4. Pingback: ste williams » NBC.com HACKED to spread bank account-raiding Trojan

  5. Pingback: NBC.com Hacked to Serve Up Banking Malware

  6. Pingback: NBC.com HACKED to spread bank account-raiding Trojan | Gens News

  7. Pingback: NBC.com Hacked: Distributing Malware | eSentire

  8. Pingback: NBC.com hacked to serve up banking malware - Information security & technology news

  9. Pingback: NBC.com hacked to serve up banking malware | fortsec

  10. Pingback: NBC.com HACKED to spread bank account-raiding Trojan | Technophile

  11. Pingback: Defensive Security Podcast Episode 8 | Defensive Security

  12. Pingback: Les sites de la chaîne NBC piratés et infectés par un malware | ActuBuzz.ma | Magazine High Tech sur l'actualité Geek, Web, Mobile

  13. Pingback: NBC.com hacked, briefly compromised with RedKit malware | Teckat - Technology blog

  14. Pingback: NBC.com hacked, briefly compromised with RedKit malware | nano Geek

  15. Pingback: Visualizing the Evolution of RedKit | Analysis Intelligence

  16. Pingback: Fox-IT's writeup on nbc.com distributing Citadel malware - Sysadmins of the North

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s