NBC.com hacked, serving up Citadel malware

A few hours ago Ronald Prins of Fox-IT (@cryptoron) was tweeting about NBC.com infecting its visitors with malicious software (malware). We were investigating this as well and found the following interesting facts.

Update: Fox-IT has also posted a blog item on the incident.

There were two exploits links on the NBC website. The first one was on the main default (entry) page. And the second one was located on hxxp://www.nbc.com/assets/core/js/s_wrapper.js

s_wrapper_js

It serves both Java (CVE-2013-0422) and PDF exploits. The exploit drops the Citadel Trojan which is used for banking fraud and cyber-espionage. The Citadel malware communicates with the following server, which is already sinkholed:

hxxp://184.82.177.125/tr2002/file.php
hxxp://184.82.177.125/tr2102/file.php

We’ve seen at least two different Citadel Trojans. MD5 hashes of the droppers:
c26c64c3129fca7aafe695904d5976da
16ee24be6b0afac36c994c9568e24331

An hour later the attack pages were swapped, which means the cyber criminals still have access to NBC’s pages. We’ve seen them linking to e.g.:

hxxp://umaiskhan.com/ztuj.html
hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://priceworldpublishing.com/aynk.html
hxxp://nikweinstein.com/cl/google.php
hxxp://walterjeffers.com/ctuk.html
hxxp://barbecuechickenrecipes.org/ctuk.htm
hxxp://toplineops.com/mtnk.html
hxxp://fabricaequiposestetica.com/ztuj.htm


RedKit Exploit Kit

The attacks were carried out by the Redkit Exploit Kit. One of RedKit’s noticeable features is that it can generate and rotate attack URLs every hour.

RedKit was also used last year during the Telegraaf attack in The Netherlands which served the Citadel Trojan from the Pobelka botnet (Dutch). The Pobelka botnet stole highly sensitive information (including usernames, passwords, certificates, documents and other data), 750GB in size, from over 150.000 computers located in networks from the Dutch government, hospitals, vital infrastructures like water and power plants, airlines, multinationals and other companies.


Just a coincidence
Did you know that the Citadel Trojan responsible for the Dorifel outbreak in The Netherlands last year had the NBC logo as file icon?dorifel-citadel


On-Demand Detection and Timeline
HitmanPro’s behavioral scan detects zero-day Citadel malware quite easily as can be seen in the below screenshot.

The new forensic cluster feature of HitmanPro establish a pretty timeline – post infection. So even if you got infected a few days ago, HitmanPro provides evidence on how that happened.

Citadel infection


ZeroAccess

Some of the victims have also been infected with the ZeroAccess malware after visiting NBC.com:
994da098a62905385af8481329bf7c70

nbc-zeroaccess

nbc-zeroaccess-hitmanpro

The ZeroAccess malware moderates an affected user’s Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers, the cybercriminals. ZeroAccess is a dangerous threat that uses stealth techniques in order to hinder its detection and removal.


Unknown malware
The attack also served an unknown malware binary, connecting to various websites:

hxxp://envirsoft.com/d.htm
hxxp://eastsidetennisassociation.com/l.htm
hxxp://magasin-shop.com/r.htm
hxxp://beautiesofcanada.com/o.htm

Some antivirus vendors identify this malware as Zbot or a rootkit (MD5: 1fa5afe1ddcd083d40b5b330fd9b3613), but it is most definitely not Zbot and it’s not a rootkit either. The malware binary has a curious filename (3S4H3S.exe) and an interesting string at the end “SadokBdi”. If you Google Sadok or Kodas, you come across some interesting webpages.

SadokBdi


Facebook.com
While the attack is ongoing, Facebook.com is preventing posts to NBC.com, as can be seen from this screenshot:

Facebook


Perform Second Opinion Scan
If you’ve visited NBC.com today, you should perform a FREE second opinion scan to see if your computer got infected. You can download HitmanPro from here: get.hitmanpro.com


Late Night Show Jimmy Fallon

4 hours after the initial detection, the webpages of NBC.com still contained iframes opening exploit sites. In addition, we have seen other webpages like hxxp://www.latenightwithjimmyfallon.com and hxxp://www.jaylenosgarage.com serving some of the same links as NBC.com. This is also confirmed by the guys at Securi Blog.

29 Responses to NBC.com hacked, serving up Citadel malware

  1. [...] A few hours ago Ronald Prins of Fox-IT (@cryptoron) was tweeting about NBC.COM spreading malware. We… [...]

  2. [...] A few hours ago Ronald Prins of Fox-IT (@cryptoron) was tweeting about NBC.COM spreading malware. We… [...]

  3. [...] compromised, and is redirecting users to malicious sites, reports Dancho Danchev. According to HitmanPro, the website has been injected with malicious iFrames that lead to one of several compromised sites [...]

  4. [...] Facebook users were not able to access links to NBC.com through the Facebook website, after reports surfaced that NBC.com had been hacked and was spreading malicious software to [...]

  5. [...] Facebook users were not able to access links to NBC.com through the Facebook website, after reports surfaced that NBC.com had been hacked and was spreading malicious software to [...]

  6. [...] Facebook users were not able to access links to NBC.com through the Facebook website, after reports surfaced that NBC.com had been hacked and was spreading malicious software to [...]

  7. [...] Facebook users were not able to access links to NBC.com through the Facebook website, after reports surfaced that NBC.com had been hacked and was spreading malicious software to [...]

  8. [...] The exploits are actively being served and cybercriminals have been continuously swapping out the malicious URLs, according to Hitman Pro blog. [...]

  9. [...] online security firm SurfRight said in a blog post that the malware, called the Citadel Trojan, is used by cyber criminals for "banking fraud and [...]

  10. [...] Facebook users were not able to access links to NBC.com through the Facebook website, after reports surfaced that NBC.com had been hacked and was spreading malicious software to [...]

  11. [...] online security firm SurfRight said in a blog post that the malware, called the Citadel Trojan, is used by cyber criminals for “banking fraud [...]

  12. [...] Facebook users were not able to access links to NBC.com through the Facebook website, after reports surfaced that NBC.com had been hacked and was spreading malicious software to [...]

  13. [...] firma de seguridad en línea SurfRight , dijo en un blog que el malware, el troyano conocido como la Ciudadela, es utilizado por los cibercriminales para [...]

  14. [...] Facebook users were not able to access links to NBC.com through the Facebook website, after reports surfaced that NBC.com had been hacked and was spreading malicious software to [...]

  15. [...] folks at hitmanpro.blog are confirming that it is a drive-by-download attack, specifically using the Citadel Trojan, used [...]

  16. [...] access, warning users of malware that could taint their computer. According to a folks over during HitmanPro, NBC’s categorical domain was portion visitors with a Java and PDF exploits and infecting with a [...]

  17. [...] computer security firm, SurfRight, wrote on its HitmanPro blog that the NBC attack loaded exploits that look for vulnerabilities in Oracle’s Java programming [...]

  18. [...] Facebook users were not able to access links to NBC.com through the Facebook website, after reports surfaced that NBC.com had been hacked and was spreading malicious software to [...]

  19. [...] online security firm SurfRight said in a blog post that the malware, known as the Citadel Trojan, is used by cyber criminals for “banking fraud [...]

  20. [...] researchers at Dutch security company SurfRight managed to grab samples of some of the malware on offer during this [...]

  21. [...] online security firm SurfRight said in a blog post that the malware, known as the Citadel Trojan, is used by cyber criminals for “banking fraud [...]

  22. [...] computer security firm, SurfRight, wrote on its HitmanPro blog that the NBC attack loaded exploits that look for vulnerabilities in Oracle’s Java [...]

  23. [...] the NBC website, » one on the homepage and another further into the site, reported the HitmanPro security [...]

  24. [...] researchers at Dutch security company SurfRight managed to grab samples of some of the malware on offer during this [...]

  25. [...] blog for HitmanPro, a software tool that detects malware, explained yesterday that Citadel exploited two links on NBC.com, the main page and a JavaScript [...]

  26. [...] blog for HitmanPro, a software tool that detects malware, explained yesterday that Citadel exploited two links on NBC.com, the main page and a JavaScript [...]

  27. [...] blog for HitmanPro, a software tool that detects malware, explained yesterday that Citadel exploited two links on NBC.com, the main page and a JavaScript [...]

  28. [...] blog for HitmanPro, a software tool that detects malware, explained yesterday that Citadel exploited two links on NBC.com, the main page and a JavaScript [...]

  29. [...] researchers at Dutch security company SurfRight managed to grab samples of some of the malware on offer during this [...]

Follow

Get every new post delivered to your Inbox.

Join 35 other followers

%d bloggers like this: