At 8:43 US EDT, Fox-IT’s cybersecurity operations center identified a variant of Citadel malware on NBC.com. It was discovered coincidentally in the course of its ongoing monitoring service; one of Fox-IT’s customers was infected as a result of visiting the site. Ronald Prins (@cryptoron), Fox-IT’s CEO, tweeted the incident to alert site visitors, while Fox-IT security experts contacted the incident handling team at GE, the owner of NBC.com, to alert them to the problem.
Technical details can be found at the Fox-IT blog
While NBC.com is still running, the security features in most browsers (Chrome, Firefox and Facebook) have given warning messages to users before accessing the site.
Other recent attacks at NY Times and Wall Street Journal show that targeting such websites can vastly improve an attacker’s chances of success with a massive reach.
Citadel was originally designed for bank fraud and cyber espionage. This variant of Citadel uses an exploit called “RedKit” that invades computers through vulnerabilities in PDF and Java software. Once injected, the botnet crawls through files to seek and capture personal information, including online banking credentials. Variants of Citadel can automatically insert bank transfers and credit card payments.
This version of the Citadel is only recognizable to three out of the 46 antivirus programs on virustotal.com – Fortinet, Panda and Rising.
Both detection and removal of the malware are difficult by design. Several sites offer tips on detection and removal, including HitmanPro, but beware of scams.
Fox-IT monitors and captures the chatter, contains the fallout and minimizes the damage of cyber-attacks every day. Founded in 1999 as Europe’s first digital investigation agency, Fox-IT specializes in cyber defense tools, proactive monitoring services and rapid incident response for banks, governments and highly secure/highly sensitive enterprises.