A few hours ago Ronald Prins of Fox-IT (@cryptoron) was tweeting about NBC.com infecting its visitors with malicious software (malware). We were investigating this as well and found the following interesting facts.

Update: Fox-IT has also posted a blog item on the incident.

There were two exploits links on the NBC website. The first one was on the main default (entry) page. And the second one was located on hxxp://www.nbc.com/assets/core/js/s_wrapper.js

It serves both Java (CVE-2013-0422) and PDF exploits. The exploit drops the Citadel Trojan which is used for banking fraud and cyber-espionage. The Citadel malware communicates with the following server, which is already sinkholed:

hxxp://184.82.177.125/tr2002/file.php

hxxp://184.82.177.125/tr2102/file.php

We’ve seen at least two different Citadel Trojans. MD5 hashes of the droppers:

c26c64c3129fca7aafe695904d5976da

16ee24be6b0afac36c994c9568e24331

An hour later the attack pages were swapped, which means the cyber criminals still have access to NBC’s pages. We’ve seen them linking to e.g.:

hxxp://umaiskhan.com/ztuj.html

hxxp://moi-npovye-sploett.com/qqqq/1.php

hxxp://priceworldpublishing.com/aynk.html

hxxp://nikweinstein.com/cl/google.php

hxxp://walterjeffers.com/ctuk.html

hxxp://barbecuechickenrecipes.org/ctuk.htm

hxxp://toplineops.com/mtnk.html

hxxp://fabricaequiposestetica.com/ztuj.htm



RedKit Exploit Kit

The attacks were carried out by the Redkit Exploit Kit. One of RedKit’s noticeable features is that it can generate and rotate attack URLs every hour.

RedKit was also used last year during the Telegraaf attack in The Netherlands which served the Citadel Trojan from the Pobelka botnet (Dutch). The Pobelka botnet stole highly sensitive information (including usernames, passwords, certificates, documents and other data), 750GB in size, from over 150.000 computers located in networks from the Dutch government, hospitals, vital infrastructures like water and power plants, airlines, multinationals and other companies.



Just a coincidence

Did you know that the Citadel Trojan responsible for the Dorifel outbreak in The Netherlands last year had the NBC logo as file icon?



On-Demand Detection and Timeline

HitmanPro’s behavioral scan detects zero-day Citadel malware quite easily as can be seen in the below screenshot.

The new forensic cluster feature of HitmanPro establish a pretty timeline – post infection. So even if you got infected a few days ago, HitmanPro provides evidence on how that happened.



ZeroAccess

Some of the victims have also been infected with the ZeroAccess malware after visiting NBC.com:

994da098a62905385af8481329bf7c70

The ZeroAccess malware moderates an affected user’s Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers, the cybercriminals. ZeroAccess is a dangerous threat that uses stealth techniques in order to hinder its detection and removal.



Unknown malware

The attack also served an unknown malware binary, connecting to various websites:

hxxp://envirsoft.com/d.htm

hxxp://eastsidetennisassociation.com/l.htm

hxxp://magasin-shop.com/r.htm

hxxp://beautiesofcanada.com/o.htm

Some antivirus vendors identify this malware as Zbot or a rootkit (MD5: 1fa5afe1ddcd083d40b5b330fd9b3613), but it is most definitely not Zbot and it’s not a rootkit either. The malware binary has a curious filename (3S4H3S.exe) and an interesting string at the end “SadokBdi”. If you Google Sadok or Kodas, you come across some interesting webpages.



Facebook.com

While the attack is ongoing, Facebook.com is preventing posts to NBC.com, as can be seen from this screenshot:



Perform Second Opinion Scan

If you’ve visited NBC.com today, you should perform a FREE second opinion scan to see if your computer got infected. You can download HitmanPro from here: get.hitmanpro.com



Late Night Show Jimmy Fallon

4 hours after the initial detection, the webpages of NBC.com still contained iframes opening exploit sites. In addition, we have seen other webpages like hxxp://www.latenightwithjimmyfallon.com and hxxp://www.jaylenosgarage.com serving some of the same links as NBC.com. This is also confirmed by the guys at Securi Blog.

Share this: Twitter

Facebook

Like this: Like Loading... Related