Writeup on nbc.com distributing Citadel malware

Every now and then, an incident occurs in the SOC (Security Operation Center) that really captures everyone involved’s imagination. NBC’s websites getting hacked, is just one case, in point. Image

At 16:43 CET, this afternoon we noticed that the NBC.com website links to the redkit exploit kit that is spreading Citadel malware, targeting US financials institutions. This version of Citadel is only recognizable by 3 out of the 46 antivirus programs on virustotal.com.


It has been shown before (with Dutch news site nu.nl, for example, along with the recent incidents at the New York Times and Wall Street Journal), targeting media and news websites can vastly improve an attacker’s chances of success. Users presume these large organizations websites to be free from malware. If an attacker can gain access to these web servers, they can use them to distribute malware to every visitor of that web server.


The flow of the attack looks like this:

An iframe (on nbc.com) loads a webpage that tries to download and execute a malicious JAR file as well as a malicious PDF.

hxxp://finesseindia.com/332.jar & hxxp://finesseindia.com/987.pdf

Many more different URLs have been used in the coming hours after the first sign of the attack was detected.

The Citadel malware distributed is configured to manipulate traffic to and from the banking sites of the following banks amongst others:

  • Wells Fargo
  • USAA
  • Citibank
  • Bank of America
  • TD Ameritrade
  • Suntrust
  • Navy Federal Credit Union
  • Citizensbank Online
  • Fifth Third Bank
  • PNC
  • Chase
  • Schwab
  • American Express

The malware was no longer served at 21:28 CET.

This isn’t the first time a major website is compromised and starts spreading malware, and we don’t presume its the last. Be wary.

Barry Weymes et al.

Credit to Yonathan Klijnsma and Lennart Haagsma for discovery.

18 thoughts on “Writeup on nbc.com distributing Citadel malware

  1. can you please tell me which plugin/software are you using in the top most screenshot to view the different URL and hits on them and their response? What is the name of that plugin/package? Thanks!

    1. It looks like Firebug, a developer plugin for Firefox. WebKit-based browsers (Chrome, Safari) often have a similar tool already built in.

      1. The little S with Ø says the NoScript plugin to me, but I could be wrong. It’s been a little while since I have used either NoScript of Firebug.

Leave a Reply