Delta Airlines Spam Lead To Citadel

Today I’ve seen the following spam campaign hitting my spamtraps:

The hyperlink referenced in this spam campaign leads to a hijacked website that serves a ZIP archive that contains a malicious screen saver (.scr) file:

The file pdf_delta_ticket.scr contains Citadel, a derivative of the famous ZeuS banking trojan. Unlike other binaries I’ve seen being spammed recently, this binary seems to be packed using a packer that is completely VM-aware – hence it will only run on a native machine.

Once infected, the infected computer tries to contact several Citadel C&C servers (botnet controllers). This Citadel campaign is using various C&C servers, all located in the same subnet:

Citadel config/binary URLs:

Citadel dropzones:

They are already listed on ZeuS Tracker:
https://zeustracker.abuse.ch/monitor.php?as=199079

As far as I can see, this Citadel campaign currently attacks BMO Financial Group, RBC Royal Bank and CIBC. All mentioned C&C IP addresses are within the same subnet that belongs to a (likely fake) internet service provider called “Aztec ltd”:

When you visit their website (www.aztec-ltd.ru), you will just see an output of phpinfo(). Quite suspect for an internet service provider, isn’t it? Aztec isn’t new to me, I’ve seen a lot of Citadel C&C and webinject servers hosted there recently, used to commit financial fraud (ebanking fraud).

Taking a look at the global BGP routing table, I see two upstream providers providing IP transit to Aztec:

Their first upstream is AS34109 (CB3ROB Ltd, Germany). CB3ROB gets its upstream connectivity from AS6453 (Tata Communications, India) and AS12327 (idear4business, Great Britain). Their second upstream is AS56598 (KartLand Ltd, Russia). KartLand gets its upstream connectivity from AS29226 (CJSC Mastertel, Russia). Most of these network names sound familiar to botnet researchers. AS199079 (AZCTEK) and AS56598 (KartLand) are obviously operated by cybercriminals. I recommend you to drop any packets from / to those networks at your network’s edge. AS34109 (CB3ROB) and AS12327 (idear4business) have shady backgrounds. I’ve seen various botnet C&Cs hosted in their IP space. If you run your own network, you might want to look into traffic from / to these AS numbers as well

Such spam campaigns are not uncommon; I see 1-3 of those on a daily basis. However, what is special with this specific campaign is that is wasn’t sent out by a (spam) botnet (usually Cutwail, Festi or Kelhios), but through compromised email servers. So far, I’ve seen roughly 30 sending SMTP servers (ab)used in this spam campaign:

Since the criminals are using compromised email servers, many DNSBLs are failing to catch those because most of them are focused on botnet or snowshoe spam. Hence the criminals can be sure that most of these spam mails are getting delivered to the victims mailbox.

You can protect yourself / your network from this threat by doing a few simple things:

• Check SPF and DKIM on your email gateway*
• Drop packets from/to the networks mentioned before
• Use Windows 7 AppLocker

* delta.com does have an SPF record that defines the permitted senders for this specific domain name

Related Posts

• Fake hotel.de Booking Emails Hitting CH and DE
• Fake Swisscom And T-Mobile Emails Hitting CH and DE
• Malware Spreads Through Malicious PDF Attachments
• Dutch Spam Campaign Hits Switzerland With P2P ZeuS
• A Quick Update On Spambot Kelihos
• Ransomware Gets Professional, Targeting Switzerland, Germany And Austria
• Kelihos Back In Town Using Fast Flux
• Scareware Locks Down Computer Due To Child Porn and Terrorism
• Ice IX – Or Just ZeuS?
• How Big is Big? Some Botnet Statistics