Delta Airlines Spam Lead To Citadel

Today I’ve seen the following spam campaign hitting my spamtraps:

From: Delta Airlines < tickets@delta.com >
To:
Subject: Your Order#XXXXXX – APPROVED

Dear Customer,

Your credit card has been successfully processed.

FLIGHT NUMBER DT628190172US
ELECTRONIC 628190172
DATE & TIME / FEB 19, 2013, 12:45 AM
ARRIVING / Washington
TOTAL PRICE / 429.33 USD

Please download and print your ticket from the following URL:

http://iemvirtual.com.ar/my/pdf_delta_ticket.zip

For more information regarding your order, contact us by visiting :

https://www.delta.com/content/www/en_US/support/talk-to-us.html

Thank you
Delta Airlines.

The hyperlink referenced in this spam campaign leads to a hijacked website that serves a ZIP archive that contains a malicious screen saver (.scr) file:

URL: http://iemvirtual.com.ar/my/pdf_delta_ticket.zip

Filename: pdf_delta_ticket.scr (pdf_delta_ticket.zip)
File size: 291’840 bytes
MD5 hash: f66358bf351e6038b9a75b2f0f01860d
Virustotal: 11 / 44

The file pdf_delta_ticket.scr contains Citadel, a derivative of the famous ZeuS banking trojan. Unlike other binaries I’ve seen being spammed recently, this binary seems to be packed using a packer that is completely VM-aware – hence it will only run on a native machine.

Once infected, the infected computer tries to contact several Citadel C&C servers (botnet controllers). This Citadel campaign is using various C&C servers, all located in the same subnet:

Citadel config/binary URLs:

hXXp://91.243.115.83/caca/flogin.php
hXXp://91.243.115.84/caca/flogin.php
hXXp://91.243.115.85/caca/flogin.php
hXXp://91.243.115.86/caca/flogin.php

Citadel dropzones:

hXXp://91.243.115.83/caca/glogout.php
hXXp://91.243.115.84/caca/glogout.php
hXXp://91.243.115.85/caca/glogout.php
hXXp://91.243.115.86/caca/glogout.php

They are already listed on ZeuS Tracker:
https://zeustracker.abuse.ch/monitor.php?as=199079

As far as I can see, this Citadel campaign currently attacks BMO Financial Group, RBC Royal Bank and CIBC. All mentioned C&C IP addresses are within the same subnet that belongs to a (likely fake) internet service provider called “Aztec ltd”:

inetnum: 91.243.115.0 – 91.243.115.255
netname: ATCTEK-NET
descr: Aztec ltd.
country: RU
org: ORG-Al253-RIPE
admin-c: MRA85-RIPE
tech-c: MRA85-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-ATCTEK
mnt-routes: MNT-ATCTEK
mnt-domains: MNT-ATCTEK
source: RIPE # Filtered

organisation: ORG-Al253-RIPE
org-name: Aztec ltd.
org-type: OTHER
address: Russia, Saint-Petersburg, Gangytskaya str., 14.
remarks: ***************************************
remarks: in case of ABUSE or active issues please contact us
remarks: abuse/administrative email: abuses@aztec-ltd.ru
remarks: ***************************************
remarks: All other notifications to: support@aztec-ltd.ru
abuse-mailbox: abuses@aztec-ltd.ru
mnt-ref: MNT-ATCTEK
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

person: Mamarasylov Rystam Aleksandrovich
address: Russia, Saint-Petersburg, Gangytskaya str., 14.
phone: +7-901-903-43-76
nic-hdl: MRA85-RIPE
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

% Information related to ’91.243.115.0/24AS199079′

route: 91.243.115.0/24
descr: AZCTEK route
origin: AS199079
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

When you visit their website (www.aztec-ltd.ru), you will just see an output of phpinfo(). Quite suspect for an internet service provider, isn’t it? Aztec isn’t new to me, I’ve seen a lot of Citadel C&C and webinject servers hosted there recently, used to commit financial fraud (ebanking fraud).

Taking a look at the global BGP routing table, I see two upstream providers providing IP transit to Aztec:

AS199079 AS path

Source: http://bgp.he.net/AS199079#_graph4

Their first upstream is AS34109 (CB3ROB Ltd, Germany). CB3ROB gets its upstream connectivity from AS6453 (Tata Communications, India) and AS12327 (idear4business, Great Britain). Their second upstream is AS56598 (KartLand Ltd, Russia). KartLand gets its upstream connectivity from AS29226 (CJSC Mastertel, Russia). Most of these network names sound familiar to botnet researchers. AS199079 (AZCTEK) and AS56598 (KartLand) are obviously operated by cybercriminals. I recommend you to drop any packets from / to those networks at your network’s edge. AS34109 (CB3ROB) and AS12327 (idear4business) have shady backgrounds. I’ve seen various botnet C&Cs hosted in their IP space. If you run your own network, you might want to look into traffic from / to these AS numbers as well

AS199079 ATCTEK-AS Aztec ltd. (likely rogue)
91.243.115.0/24

AS56598 ASKARTLAND KartLand Ltd. (likely rogue)
91.213.126.0/24

AS34109 CB3ROB Ltd. & Co. KG (suspect)
84.22.96.0/19
91.209.12.0/24
205.189.71.0/24
205.189.72.0/23

AS12327 IDEAR4BUSINESS-INTERNATIONAL-LTD (suspect)
31.222.200.0/21
37.148.218.0/23
37.148.218.0/24
37.148.219.0/24
37.148.220.0/22
195.191.102.0/23
195.191.102.0/24
195.191.103.0/24

Such spam campaigns are not uncommon; I see 1-3 of those on a daily basis. However, what is special with this specific campaign is that is wasn’t sent out by a (spam) botnet (usually Cutwail, Festi or Kelhios), but through compromised email servers. So far, I’ve seen roughly 30 sending SMTP servers (ab)used in this spam campaign:

46.4.194.114 server1.doremomedia.ch
85.88.3.65 uhhosting3065.united-hoster.com
190.7.31.232 n2.gigared.com
212.40.5.52 smtp.datacomm.ch
212.40.5.82 fallback.datacomm.ch
213.143.3.60 webform.pipeten.co.uk
61.19.246.34 cat67.thaihostserver.com
62.67.240.20 relayn.netpilot.net
66.212.18.209 maranata.xtnet.com.ar
68.233.254.111 open2.snappyservers.com
69.25.11.244 mia244.sinspam.com
69.25.11.246 mia246.sinspam.com
69.25.11.248 mia248.sinspam.com
69.25.11.249 mia249.sinspam.com
69.25.11.250 mia250.sinspam.com
69.25.11.251 mia251.sinspam.com
69.25.11.252 mia252.sinspam.com
69.25.11.253 mia253.sinspam.com
74.63.154.221 moab.cloud.viawest.net
81.169.146.213 cg-p07-ob.rzone.de
81.169.146.214 cg-p07-ob.rzone.de
85.92.140.199 mail.antivirus.flexwebhosting.nl
85.114.137.70 web12.vsmedia-europe.com
86.96.226.149 domail2.emirates.net.ae
94.23.52.28 ks206474.kimsufi.com
94.231.109.58 smtp6.zitcom.dk
94.231.109.212 smtp7.zitcom.dk
173.236.47.22 node04.serverdeals.org
176.56.224.34 web-srv01.directadmin.alb.nl.weservit.nl
178.20.153.124 s-relay.freehost.com.ua
200.29.67.115 envio.publimail.cl
200.181.19.35 golias.apis.com.br
202.57.191.199 host199.porar.com
212.79.240.101 mail.threvon.nl
213.246.62.75 heb62075.ikoula.com
216.223.130.74 server74.ilap.com

Since the criminals are using compromised email servers, many DNSBLs are failing to catch those because most of them are focused on botnet or snowshoe spam. Hence the criminals can be sure that most of these spam mails are getting delivered to the victims mailbox.

You can protect yourself / your network from this threat by doing a few simple things:

* delta.com does have an SPF record that defines the permitted senders for this specific domain name

Dutch Spam Campaign Hits Switzerland With P2P ZeuS

Weird things are going on here in Switzerland. Today I’ve seen a spam campaign sent out by the Cutwail Spambot (on of the biggest spam botnets in the world), hitting Switzerland with the P2P version of ZeuS (aka P2P ZeuS aka ZeuSv3 aka Gameover ZeuS). The spam email looks like this:

From: reportbank@ag.ch
Subject: Re: onjuist ingevulde NATXXXX belastingformulier

Helaas is u op de hoogte dat je hebt fouten gemaakt bij het invullen van de laatste belastingformulier applicatie (ID: XXXXX).
vindt u het advies van onze fiscalisten Op deze link
( 1 minuut Wacht tot rapport zal laden)

Wij vragen u om corrigeer de fouten en bestand de herziene aangifte aan uw lokale belastingkantoor zo snel mogelijk.

Kanton Aargau
XXX XXX
Sachbearbeiterin Wehrpflichtersatzverwaltung
Departement Gesundheit und Soziales
Abteilung Militär und Bevölkerungsschutz
Rohrerstrasse 7, Postfach, 3352 Aarau
Tel.: +41 (0)62 362 XX XX
Fax: +41 (0)62 365 XX XX

What is weird with this spam campaign is the fact that it imitates a social department of a Swiss canton called Aargau (German), but the text in the email is written in Dutch. It might be hard to believe, but most Swiss citizens don’t speak Dutch at all…

Additionally, I’ve seen that Cutwail is sending out this spam campaign to non-CH mailboxes as well (.net, .com etc.). So it is not yet clear whether the intend of the criminals behind this malware campaign is to hit Swiss citizens or not (I don’t think that any foreign citizens knows the canton Aargau…).

The spam email contains a hyperlink to a hijacked website, for example:

hXXp://robfama.com/Kompetenzzentrum.htm

The page looks like this:

For a normal visitor the page doesn’t look suspect at all, its a copy of the official web page of the canton Aargau (swiss canton). However, if you take a closer look at the html source of the advertised URL you will notice malicious Java script code which will cause that the visitors web browser will load a content from foreign URL hosted in Korea:

hXXp://africanbeat.net/detects/urgent.php

africanbeat.net points to 222.238.109.66

[ Network Information ]
IPv4 Address : 222.232.0.0 – 222.239.255.255 (/13)
Service Name : broadNnet
Organization Name : SK Broadband Co Ltd
Organization ID : ORG3930
Address : 267, Seoul Namdaemunno 5(o)-ga Jung-gu SK NamsanGreen Bldg.
Zip Code : 100-711
Registration Date : 20040402

The mentioned website (africanbeat.net) is likely operated by cybercriminals and hosting a exploit kit called “Blackhole”. Blackhole is able to exploit various (known) vulnerabilities in the visitors web browser (eg. Internet Explorer or Firefox) but as well as in 3rd party browser plugins like Adobe Flash, Adobe Reader and Sun Java. If the software installed on the visitors computer is not fully patched, blackhole will exploit a vulnerability and will use it to install an ebanking Trojan called P2P ZeuS.

Since P2P ZeuS is not using any centralized (botnet) infrastructure, there is no central botnet C&C domain/ip you could block on your company’s gateway. However, P2P ZeuS is using P2P functionality, communicating with other infected bots around the globe using a high TCP/UDP port. In fact you can mitigate this threat by blocking any outgoing TCP and UDP port higher than 1024 on your firewall (as a side note: you should restrict outgoing traffic on your firewall anyway).

Additionally, I recommend everyone to block the following domain names and IP address at the network edge:

  • 222.238.109.66 (Blackhole Exploit Kit hosting)
  • africanbeat.net (Blackhole Exploit Kit hosting)
  • 63.143.53.180 (Malware DNS server)

*** Further reading ****

A follow me on Twitter: https://twitter.com/abuse_ch




economics-recluse
Scene
Urgent!