It has been a while since we wrote our last blog. Sorry for this but we were busy with a lot of projects. Two noteworthy projects were the release of our unique solution against ransomware (e.g. FBI Reveton and BKA/GVU trojans) and of course the disclosure of the Pobelka Citadel botnet that haunted 150.000 Dutch (mostly government and business) computers for 8 months last year. The latter hasn’t been discussed much internationally because we released our extensive research in the Dutch language only (which is available here). Regarding this research, we reveal some additional but striking insights now the entire world is talking about Chinese hackers attacking media networks of the New York Times, Wall Street Journal and Bloomberg.
Perhaps you still remember September last year, when cybercriminals were able to launch attacks on Dutch computers by using a compromised marketing server used by ‘De Telegraaf’, a widely read newspaper and the #11 website in The Netherlands. This was the umptiest Dutch incident, after others like NU.nl, weeronline.nl, and of course the Dorifel outbreak which brought operations of many Dutch municipalities, government and large multinational companies to a standstill (for days).
Illustration 1: Bots connecting with Pobelka command and control server
Of course we were curious why the Dutch were hit again and at that time decided to find out what was behind these incidents and if there was a common denominator.
We began investigating the malware dropper used in the Telegraaf incident and discovered (thanks to our HitmanPro cloud data) that it was spreading 4 different malware families during this particular incident: FakeAV, ZeroAccess, Medfos (we omitted Medfos in our earlier blog on the incident) and of course the Pobelka Citadel malware.
In this investigation we noticed an interesting fact: the Citadel server used in the Telegraaf incident was registered with the EXACT same credentials as a domain used by the gang responsible for spreading the Dorifel trojan. So they are somehow related or perhaps even the same criminals:
Illustration 2: Pobelka.com domain used by the Citadel server
Illustration 3: ipo90.com domain used by Dorifel-3 to distribute ransomware, that hit mostly non-Dutch systems
Even though we believe that eastern European criminals are behind the attack operations, you obviously have noticed the Chinese registration of the domains as well…
Remembering their investigative work on the Citadel server responsible for spreading Dorifel, we asked Dutch forensic firm Digital Investigation to work with us and to investigate our early research data. It didn’t took them long to bypass the different proxies that were hiding the server from plain view. In cooperation with law enforcement they seized this Citadel command and control server and discovered over 750 Gigabytes of sensitive information, which included login credentials (passwords), client certificates (remember DigiNotar) and even detailed overviews of internal networks that weren’t directly connected to the internet.
Illustration 4: Citadel searching for information about other systems
So all this data was gathered and stolen by the Pobelka Citadel malware from inside Dutch government networks, hospitals, aviation industry and even networks controlling critical infrastructure, including industrial control systems (ICS). We did responsible disclosure e.g. by giving government time to handle the situation internally and by not revealing names of the many, many affected institutions, companies and public authorities. But because government officials did not deem the findings interesting enough to call for a nationwide check (many roaming business and home computers were affected as well), our extensive research didn’t even reach national news, let alone internationally.
Advanced Persistent Threat
It’s also worth noting that the Citadel malware (which is based on source code of the notorious Zeus banking trojan) is not considered to be an advanced persistent threat (APT), even though it also manages to stay under the radar for months (like the malware used in the New York Times breach). Last year we devoted a blog post on the prevalence of banking trojans (like Citadel) which revealed that this type of malware stays undetected for 25 days, on average, on computers actively protected by up-to-date antivirus software: Antivirus shortens the lifetime of financial malware
In our Dutch research paper on the Pobelka botnet we also explain how the Citadel malware easily bypasses these renowned antivirus programs and why it remains undetected for such a long time. And the Pobelka botnet, which was specifically setup to target Dutch and German computers, was not the only botnet operational in The Netherlands last year. We estimate that hundreds of similar (and larger) botnets are still operational right now, not only in The Netherlands. If you think the country of the Dutch is small, insignificant and seemingly unexciting, consider the operations going on in bigger countries, like France, Germany or the United States.
If you are Dutch or German and you want to know if your company, network or sensitive data was compromised by the Pobelka botnet, simply go to this website by Digital Investigation to find out:
There you can also download HitmanPro, our free second opinion anti-malware, which uses behavioral analysis instead of virus signatures to hunt down zero-day threats, including all variants of malware based on Zeus, like Citadel.
Read here for our blog posting regarding the Dorifel outbreak and our role in rescuing hundreds of millions of documents on government networks and multinationals.
Update: Kaspersky posted an article about McAfee’s research on the Citadel trojan in Europe, spying on government and business computers: Citadel Trojan: It’s Not Just Banking Fraud Anymore