Citadel Malware Back Bigger and Stronger

The dreaded Citadel banking malware has just returned with a new and powerful avatar. According to a team of researchers at IBM, Citadel has recently been updated, which allows it to use remote management tools to control the infected machine.


Photo: JMiks / Shutterstock

The old Citadel Trojan was created to steal important data, including banking and other financial information. It was built from the source code of Zeus, and it created a botnet with many infected machines. It could also run scareware and ransomware.

This latest version has all these capabilities, and it also possesses multiple remote management tools including VNC, which ensures that the hackers can control the machine even after the removal of malware.

The details of these findings were shared by Etay Maor, who works at IBM as the fraud prevention solutions manager. He revealed that this new Virtual Network Computing (VNC) update provides an remote desktop protocol(RDP)-like access to the attackers. He also stressed the fact that the attackers would be able to control the machine even when the malware has been detected and removed.

The protocols VNC and RDP were initially developed to help technical support specialists to gain access to remote computers. The RDP capabilities native to the Windows operating system are assumed to be genuine by the host computer.

That is probably the reason why such malware attacks aren’t noticed easily – because they are assumed to be legitimate (by tech support) in nature by the enterprises.

How RDP & VNC Pass Off as Legitimate

When a user has a problem, they call the computer agency’s tech support for help. Since it is feasible for the technician to solve the issue remotely rather than visiting the user’s site, they use certain protocols to work on the user’s machine.

Both RDP and VNC protocols are frequently used by technical support officers to gain remote access to users’ machines and resolve issues. Now the attackers have started using these protocols to target their ‘big fish’. For them, it is the most reliable way to siphon off a major amount from the victim’s accounts – by conducting a manual attack and not using any automated scripts.

For the attackers, working manually has a number of advantages as compared to the old automated approach. Firstly, the attackers can easily enter an authenticated session and gain access to critical information such as user names and passwords. Secondly, since the remote access is essentially directed from an authenticated user’s device, it is not seen as an external attack. Lastly, it does not involve the ‘suspicious’ behavior of an automated script, which is easily detected by security applications.

What sets Citadel apart from most of the other malware is that it also provides the attackers with the ability to run Windows shell commands.

These features are extremely useful when the attackers are looking to infect a sophisticated target that needs prior planning and precise execution. This makes network mapping an extremely easy and convenient task.

Citadel’s recent advertisement, after this capability was discovered, read ‘AutoCMD’. Amidst all the attacking and damaging capabilities, the old Citadel also had a shortcoming – the VNC features are lost as soon as the malware is detected and removed from the victim’s machine. However, the security team at Trusteer believes that the attackers, in the latest variant, have found a way out of this.

So What’s New Here?

As soon as the victim’s machine is infected with the latest Citadel variant, the scope of Windows shell commands is extended much beyond just surveying or probing. They perform the below mentioned tasks:

• Addition of a new user in the local administrator group and local RDP group
• Setting up of a lifetime password

Why is Citadel the Hackers’ Choice?

Its biggest advantage that attracts the attackers is its ability to provide them an access to the infected machine, even after the malware has been removed. This approach works best if the victim to be targeted is a large enterprise. The following features make it an ideal choice for hackers.

• Continuous access to the machine even after the malware is removed
• Deceiving the users by making them think that their machine is safe after the malware removal
• The RDP capability of the malware gives it an authenticated Windows-inhabitant look which is never intercepted by the security software as an external attack.

Citadel seems to be waging a war against the targeted companies and is leaving no stone unturned to equip its malware with state of the art capabilities.