Delta Airlines Spam Lead To Citadel

Today I’ve seen the following spam campaign hitting my spamtraps:

From: Delta Airlines < tickets@delta.com >
To:
Subject: Your Order#XXXXXX – APPROVED

Dear Customer,

Your credit card has been successfully processed.

FLIGHT NUMBER DT628190172US
ELECTRONIC 628190172
DATE & TIME / FEB 19, 2013, 12:45 AM
ARRIVING / Washington
TOTAL PRICE / 429.33 USD

Please download and print your ticket from the following URL:

http://iemvirtual.com.ar/my/pdf_delta_ticket.zip

For more information regarding your order, contact us by visiting :

https://www.delta.com/content/www/en_US/support/talk-to-us.html

Thank you
Delta Airlines.

The hyperlink referenced in this spam campaign leads to a hijacked website that serves a ZIP archive that contains a malicious screen saver (.scr) file:

URL: http://iemvirtual.com.ar/my/pdf_delta_ticket.zip

Filename: pdf_delta_ticket.scr (pdf_delta_ticket.zip)
File size: 291’840 bytes
MD5 hash: f66358bf351e6038b9a75b2f0f01860d
Virustotal: 11 / 44

The file pdf_delta_ticket.scr contains Citadel, a derivative of the famous ZeuS banking trojan. Unlike other binaries I’ve seen being spammed recently, this binary seems to be packed using a packer that is completely VM-aware – hence it will only run on a native machine.

Once infected, the infected computer tries to contact several Citadel C&C servers (botnet controllers). This Citadel campaign is using various C&C servers, all located in the same subnet:

Citadel config/binary URLs:

hXXp://91.243.115.83/caca/flogin.php
hXXp://91.243.115.84/caca/flogin.php
hXXp://91.243.115.85/caca/flogin.php
hXXp://91.243.115.86/caca/flogin.php

Citadel dropzones:

hXXp://91.243.115.83/caca/glogout.php
hXXp://91.243.115.84/caca/glogout.php
hXXp://91.243.115.85/caca/glogout.php
hXXp://91.243.115.86/caca/glogout.php

They are already listed on ZeuS Tracker:
https://zeustracker.abuse.ch/monitor.php?as=199079

As far as I can see, this Citadel campaign currently attacks BMO Financial Group, RBC Royal Bank and CIBC. All mentioned C&C IP addresses are within the same subnet that belongs to a (likely fake) internet service provider called “Aztec ltd”:

inetnum: 91.243.115.0 – 91.243.115.255
netname: ATCTEK-NET
descr: Aztec ltd.
country: RU
org: ORG-Al253-RIPE
admin-c: MRA85-RIPE
tech-c: MRA85-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-ATCTEK
mnt-routes: MNT-ATCTEK
mnt-domains: MNT-ATCTEK
source: RIPE # Filtered

organisation: ORG-Al253-RIPE
org-name: Aztec ltd.
org-type: OTHER
address: Russia, Saint-Petersburg, Gangytskaya str., 14.
remarks: ***************************************
remarks: in case of ABUSE or active issues please contact us
remarks: abuse/administrative email: abuses@aztec-ltd.ru
remarks: ***************************************
remarks: All other notifications to: support@aztec-ltd.ru
abuse-mailbox: abuses@aztec-ltd.ru
mnt-ref: MNT-ATCTEK
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

person: Mamarasylov Rystam Aleksandrovich
address: Russia, Saint-Petersburg, Gangytskaya str., 14.
phone: +7-901-903-43-76
nic-hdl: MRA85-RIPE
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

% Information related to ‘91.243.115.0/24AS199079′

route: 91.243.115.0/24
descr: AZCTEK route
origin: AS199079
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

When you visit their website (www.aztec-ltd.ru), you will just see an output of phpinfo(). Quite suspect for an internet service provider, isn’t it? Aztec isn’t new to me, I’ve seen a lot of Citadel C&C and webinject servers hosted there recently, used to commit financial fraud (ebanking fraud).

Taking a look at the global BGP routing table, I see two upstream providers providing IP transit to Aztec:

AS199079 AS path

Source: http://bgp.he.net/AS199079#_graph4

Their first upstream is AS34109 (CB3ROB Ltd, Germany). CB3ROB gets its upstream connectivity from AS6453 (Tata Communications, India) and AS12327 (idear4business, Great Britain). Their second upstream is AS56598 (KartLand Ltd, Russia). KartLand gets its upstream connectivity from AS29226 (CJSC Mastertel, Russia). Most of these network names sound familiar to botnet researchers. AS199079 (AZCTEK) and AS56598 (KartLand) are obviously operated by cybercriminals. I recommend you to drop any packets from / to those networks at your network’s edge. AS34109 (CB3ROB) and AS12327 (idear4business) have shady backgrounds. I’ve seen various botnet C&Cs hosted in their IP space. If you run your own network, you might want to look into traffic from / to these AS numbers as well

AS199079 ATCTEK-AS Aztec ltd. (likely rogue)
91.243.115.0/24

AS56598 ASKARTLAND KartLand Ltd. (likely rogue)
91.213.126.0/24

AS34109 CB3ROB Ltd. & Co. KG (suspect)
84.22.96.0/19
91.209.12.0/24
205.189.71.0/24
205.189.72.0/23

AS12327 IDEAR4BUSINESS-INTERNATIONAL-LTD (suspect)
31.222.200.0/21
37.148.218.0/23
37.148.218.0/24
37.148.219.0/24
37.148.220.0/22
195.191.102.0/23
195.191.102.0/24
195.191.103.0/24

Such spam campaigns are not uncommon; I see 1-3 of those on a daily basis. However, what is special with this specific campaign is that is wasn’t sent out by a (spam) botnet (usually Cutwail, Festi or Kelhios), but through compromised email servers. So far, I’ve seen roughly 30 sending SMTP servers (ab)used in this spam campaign:

46.4.194.114 server1.doremomedia.ch
85.88.3.65 uhhosting3065.united-hoster.com
190.7.31.232 n2.gigared.com
212.40.5.52 smtp.datacomm.ch
212.40.5.82 fallback.datacomm.ch
213.143.3.60 webform.pipeten.co.uk
61.19.246.34 cat67.thaihostserver.com
62.67.240.20 relayn.netpilot.net
66.212.18.209 maranata.xtnet.com.ar
68.233.254.111 open2.snappyservers.com
69.25.11.244 mia244.sinspam.com
69.25.11.246 mia246.sinspam.com
69.25.11.248 mia248.sinspam.com
69.25.11.249 mia249.sinspam.com
69.25.11.250 mia250.sinspam.com
69.25.11.251 mia251.sinspam.com
69.25.11.252 mia252.sinspam.com
69.25.11.253 mia253.sinspam.com
74.63.154.221 moab.cloud.viawest.net
81.169.146.213 cg-p07-ob.rzone.de
81.169.146.214 cg-p07-ob.rzone.de
85.92.140.199 mail.antivirus.flexwebhosting.nl
85.114.137.70 web12.vsmedia-europe.com
86.96.226.149 domail2.emirates.net.ae
94.23.52.28 ks206474.kimsufi.com
94.231.109.58 smtp6.zitcom.dk
94.231.109.212 smtp7.zitcom.dk
173.236.47.22 node04.serverdeals.org
176.56.224.34 web-srv01.directadmin.alb.nl.weservit.nl
178.20.153.124 s-relay.freehost.com.ua
200.29.67.115 envio.publimail.cl
200.181.19.35 golias.apis.com.br
202.57.191.199 host199.porar.com
212.79.240.101 mail.threvon.nl
213.246.62.75 heb62075.ikoula.com
216.223.130.74 server74.ilap.com

Since the criminals are using compromised email servers, many DNSBLs are failing to catch those because most of them are focused on botnet or snowshoe spam. Hence the criminals can be sure that most of these spam mails are getting delivered to the victims mailbox.

You can protect yourself / your network from this threat by doing a few simple things:

* delta.com does have an SPF record that defines the permitted senders for this specific domain name

0 Responses to “Delta Airlines Spam Lead To Citadel”


  • No Comments

Leave a Reply




economics-recluse
Scene
Urgent!