Two days ago, Thursday September 6th, the website of the popular Dutch newspaper Telegraaf.nl was treating its visitors on zero-day malware. Telegraaf.nl is ranked #10 on the list of most popular websites in The Netherlands. Even though the media kept using Telegraaf.nl as the origin of the attack, technically it was caused by a compromised website of a Dutch online marketing company that handles newsletters and email marketing activities for Telegraaf.nl. This online marketing company handles online activities for other well-known Dutch companies too, including some non-profit organizations.
More Dutch websites compromised
To not discredit this relatively small company, their name was deliberately kept under wraps and everybody used Telegraaf.nl when referring to the Thursday outbreak. But according to our research, it wasn’t just this small marketing company that was involved in this specific attack-vector that day. We’ve seen other Dutch compromised websites (that were running on vulnerable versions of the Joomla CMS) with an iframe pointing to the exact same attack site. This attack site was located in Denmark and was hosted on a .com domain registered to a Dutch citizen (this legitimate website was compromised by the attackers and turned into an attack site).
Since the site is hosted in Denmark, you can imagine that it takes a bit more time to take down an attack site hosted in a country other than The Netherlands – it requires international cooperation. Thanks to efforts of others, like the Dutch National Cyber Security Centre (NCSC), the attack page in Denmark was suspended on Friday afternoon.
RedKit Exploit Kit
The attack site was hosting a counter.php which was actually the RedKit exploit kit. One of RedKit’s noticeable features is that it can generate and rotate attack URLs every hour. These URLs point to other compromised websites which makes it difficult to reliably block RedKit’s URLs. The exploit kit uses HTTP response status code 302 to redirect the browser to immediately open the actual attack URL.
To defend itself against malware researchers RedKit is equipped with new anti-forensic features.
Another important feature of this exploit kit is that it allows the attackers to upload an executable (malware) and test it against 37 different antivirus solutions to optimize attacks and ensure results:
Image by SpiderLabs
To infect computers, this exploit kit abuses a recently discovered vulnerability in Java, registered under CVE-2012-4681. This vulnerability affects Java 7 Update 6 (or older) and Java 6 Update 34 (or older). Since this vulnerability was patched by Oracle just days ago, and knowing that the cybercriminals using RedKit optimized their malware to bypass AV protection, not many computers could withstand this attack.
Below an overview of the malware that HitmanPro encountered on systems that were infected by this attack (the detection ratio was determined using VirusTotal at time of the initial attack):
45% of the affected computers by this attack were infected with the Citadel malware. And the other malware are also designed to steal and generate money.
We were able to identify this initially unknown malware by correlating the timestamp of the infection with that of the initial downloader on the victim machines (the downloader installed the unknown malware within 3 minutes). SHA-256 hashes:
Live Security Platinum
Note: The Citadel malware is a descendant of the Zeus banking Trojan and re-encrypts itself each time it infects a victim, making each infection unique.
The Dutch government issued an initial warning about the fake antivirus. But after a few hours we could see that it was not the fake antivirus people should’ve been worried about: it’s the Citadel banking Trojan that affected most systems. Contrary to the fake antivirus, which is very visible and popping up on people’s screens, the Citadel banking Trojan is specifically designed to be invisible, for both users and antivirus programs.
HitmanPro detects these malware either through behavioral analysis and/or signature detection. It will also thoroughly remove these infections and repair the (for most AV difficult to fix) services.exe. More about that in our blog ZeroAccess – From Rootkit to Nasty Infection.
Image: HitmanPro detecting Live Security Platinum, ZeroAccess and Citadel malware
Citadel leading the Dutch Malware Prevalence Top 25
I’d also like to refer to July’s top 25 of prevalent malware where, in The Netherlands, the Citadel banking Trojan ranks #1. FakeAV and ZeroAccess rank #2 and #5 respectively. World-wide, the Zeus family (where Citadel is part of) ranks #6.
I would like to thank the Dutch National Cyber Security Centre (NCSC) for providing us information during the initial research.