Delta Airlines spam delivers Citadel Trojan
Posted on 19.02.2013
Roman Hüssy over at Zeus Tracker warns about a Delta Airlines-themed spam campaign that ultimately leads to a variant of the Citadel malware - a banking Trojan that is based on Zeus' source code:

The link included in the email leads to a compromised site where the ZIP archive - - is offered for download. The archive contains a screensaver file by the same name and it, in turn, contains the Trojan, which currently has a pretty low detection rate.

"Unlike other binaries I’ve seen being spammed recently, this binary seems to be packed using a packer that is completely VM-aware – hence it will only run on a native machine," notes Hüss, adding that once infected, the computers try to contact several Citadel C&C servers, which are all currently located in the same subnet that belongs to a ISP named "Aztec ltd" and have been already been listed on Zeus Tracker by him.

An investigation into the ISP's upstream providers, he discovered a few names that sound familiar to botnet researchers, and advises network operators to drop any packets from / to those networks at their network’s edge.

"What is special with this specific campaign is that is wasn’t sent out by a botnet (usually Cutwail, Festi or Kelhios), but through compromised email servers. So far, I’ve seen roughly 30 sending SMTP servers (ab)used in this spam campaign," he noted.

"Since the criminals are using compromised email servers, many DNSBLs are failing to catch those because most of them are focused on botnet or snowshoe spam. Hence the criminals can be sure that most of these spam mails are getting delivered to the victims mailbox."


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th