Delta Airlines Spam Lead To Citadel

Today I’ve seen the following spam campaign hitting my spamtraps:

From: Delta Airlines < >
Subject: Your Order#XXXXXX – APPROVED

Dear Customer,

Your credit card has been successfully processed.

ELECTRONIC 628190172
DATE & TIME / FEB 19, 2013, 12:45 AM
ARRIVING / Washington

Please download and print your ticket from the following URL:

For more information regarding your order, contact us by visiting :

Thank you
Delta Airlines.

The hyperlink referenced in this spam campaign leads to a hijacked website that serves a ZIP archive that contains a malicious screen saver (.scr) file:


Filename: pdf_delta_ticket.scr (
File size: 291’840 bytes
MD5 hash: f66358bf351e6038b9a75b2f0f01860d
Virustotal: 11 / 44

The file pdf_delta_ticket.scr contains Citadel, a derivative of the famous ZeuS banking trojan. Unlike other binaries I’ve seen being spammed recently, this binary seems to be packed using a packer that is completely VM-aware – hence it will only run on a native machine.

Once infected, the infected computer tries to contact several Citadel C&C servers (botnet controllers). This Citadel campaign is using various C&C servers, all located in the same subnet:

Citadel config/binary URLs:


Citadel dropzones:


They are already listed on ZeuS Tracker:

As far as I can see, this Citadel campaign currently attacks BMO Financial Group, RBC Royal Bank and CIBC. All mentioned C&C IP addresses are within the same subnet that belongs to a (likely fake) internet service provider called “Aztec ltd”:

inetnum: –
netname: ATCTEK-NET
descr: Aztec ltd.
country: RU
org: ORG-Al253-RIPE
admin-c: MRA85-RIPE
tech-c: MRA85-RIPE
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-ATCTEK
mnt-routes: MNT-ATCTEK
mnt-domains: MNT-ATCTEK
source: RIPE # Filtered

organisation: ORG-Al253-RIPE
org-name: Aztec ltd.
org-type: OTHER
address: Russia, Saint-Petersburg, Gangytskaya str., 14.
remarks: ***************************************
remarks: in case of ABUSE or active issues please contact us
remarks: abuse/administrative email:
remarks: ***************************************
remarks: All other notifications to:
mnt-ref: MNT-ATCTEK
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

person: Mamarasylov Rystam Aleksandrovich
address: Russia, Saint-Petersburg, Gangytskaya str., 14.
phone: +7-901-903-43-76
nic-hdl: MRA85-RIPE
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

% Information related to ‘’

descr: AZCTEK route
origin: AS199079
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

When you visit their website (, you will just see an output of phpinfo(). Quite suspect for an internet service provider, isn’t it? Aztec isn’t new to me, I’ve seen a lot of Citadel C&C and webinject servers hosted there recently, used to commit financial fraud (ebanking fraud).

Taking a look at the global BGP routing table, I see two upstream providers providing IP transit to Aztec:

AS199079 AS path


Their first upstream is AS34109 (CB3ROB Ltd, Germany). CB3ROB gets its upstream connectivity from AS6453 (Tata Communications, India) and AS12327 (idear4business, Great Britain). Their second upstream is AS56598 (KartLand Ltd, Russia). KartLand gets its upstream connectivity from AS29226 (CJSC Mastertel, Russia). Most of these network names sound familiar to botnet researchers. AS199079 (AZCTEK) and AS56598 (KartLand) are obviously operated by cybercriminals. I recommend you to drop any packets from / to those networks at your network’s edge. AS34109 (CB3ROB) and AS12327 (idear4business) have shady backgrounds. I’ve seen various botnet C&Cs hosted in their IP space. If you run your own network, you might want to look into traffic from / to these AS numbers as well

AS199079 ATCTEK-AS Aztec ltd. (likely rogue)

AS56598 ASKARTLAND KartLand Ltd. (likely rogue)

AS34109 CB3ROB Ltd. & Co. KG (suspect)


Such spam campaigns are not uncommon; I see 1-3 of those on a daily basis. However, what is special with this specific campaign is that is wasn’t sent out by a (spam) botnet (usually Cutwail, Festi or Kelhios), but through compromised email servers. So far, I’ve seen roughly 30 sending SMTP servers (ab)used in this spam campaign:

Since the criminals are using compromised email servers, many DNSBLs are failing to catch those because most of them are focused on botnet or snowshoe spam. Hence the criminals can be sure that most of these spam mails are getting delivered to the victims mailbox.

You can protect yourself / your network from this threat by doing a few simple things:

* does have an SPF record that defines the permitted senders for this specific domain name

One thought on “Delta Airlines Spam Lead To Citadel

  1. Pingback: Se upp för hemsidor som är infekterade med zeroaccess och citadel | bredbandsbloggen

Leave a Reply

Your email address will not be published. Required fields are marked *