At 16:43 CET, this afternoon we noticed that the NBC.com website links to the redkit exploit kit that is spreading Citadel malware, targeting US financials institutions. This version of Citadel is only recognizable by 3 out of the 46 antivirus programs on virustotal.com.
It has been shown before (with Dutch news site nu.nl, for example, along with the recent incidents at the New York Times and Wall Street Journal), targeting media and news websites can vastly improve an attacker’s chances of success. Users presume these large organizations websites to be free from malware. If an attacker can gain access to these web servers, they can use them to distribute malware to every visitor of that web server.
The flow of the attack looks like this:
An iframe (on nbc.com) loads a webpage that tries to download and execute a malicious JAR file as well as a malicious PDF.
hxxp://finesseindia.com/332.jar & hxxp://finesseindia.com/987.pdf
Many more different URLs have been used in the coming hours after the first sign of the attack was detected.
The Citadel malware distributed is configured to manipulate traffic to and from the banking sites of the following banks amongst others:
- Wells Fargo
- Bank of America
- TD Ameritrade
- Navy Federal Credit Union
- Citizensbank Online
- Fifth Third Bank
- American Express
The malware was no longer served at 21:28 CET.
This isn’t the first time a major website is compromised and starts spreading malware, and we don’t presume its the last. Be wary.
Barry Weymes et al.
Credit to Yonathan Klijnsma and Lennart Haagsma for discovery.