Writeup on nbc.com distributing Citadel malware


Every now and then, an incident occurs in the SOC (Security Operation Center) that really captures everyone involved’s imagination. NBC’s websites getting hacked, is just one case, in point. Image

At 16:43 CET, this afternoon we noticed that the NBC.com website links to the redkit exploit kit that is spreading Citadel malware, targeting US financials institutions. This version of Citadel is only recognizable by 3 out of the 46 antivirus programs on virustotal.com.

https://www.virustotal.com/en/file/96deefbe5034d826b2fe4796c32104badaa6c8df768da1059827ccac6ef2f9d8/analysis/1361464137/

It has been shown before (with Dutch news site nu.nl, for example, along with the recent incidents at the New York Times and Wall Street Journal), targeting media and news websites can vastly improve an attacker’s chances of success. Users presume these large organizations websites to be free from malware. If an attacker can gain access to these web servers, they can use them to distribute malware to every visitor of that web server.

Image

The flow of the attack looks like this:

An iframe (on nbc.com) loads a webpage that tries to download and execute a malicious JAR file as well as a malicious PDF.

hxxp://finesseindia.com/332.jar & hxxp://finesseindia.com/987.pdf

Many more different URLs have been used in the coming hours after the first sign of the attack was detected.

The Citadel malware distributed is configured to manipulate traffic to and from the banking sites of the following banks amongst others:

  • Wells Fargo
  • USAA
  • Citibank
  • Bank of America
  • TD Ameritrade
  • Suntrust
  • Navy Federal Credit Union
  • Citizensbank Online
  • Fifth Third Bank
  • PNC
  • Chase
  • Schwab
  • American Express

The malware was no longer served at 21:28 CET.

This isn’t the first time a major website is compromised and starts spreading malware, and we don’t presume its the last. Be wary.

Barry Weymes et al.

Credit to Yonathan Klijnsma and Lennart Haagsma for discovery.

18 thoughts on “Writeup on nbc.com distributing Citadel malware

  1. can you please tell me which plugin/software are you using in the top most screenshot to view the different URL and hits on them and their response? What is the name of that plugin/package? Thanks!

      1. The little S with Ø says the NoScript plugin to me, but I could be wrong. It’s been a little while since I have used either NoScript of Firebug.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s