The banking Trojan known as Citadel, which debuted in underground forums in January 2012, has evolved to become one of the financial industry's greatest worries, cybersecurity experts say.
Citadel, an advanced variant of Zeus, is a keylogger that steals online-banking credentials by capturing keystrokes. Fraudsters then use stolen login IDs and passwords to access online accounts, take them over and schedule fraudulent transactions.
Hackers from Eastern Europe are believed to be behind Citadel, a Trojan specifically designed for financial fraud and sold on the black market.
Citadel got attention in July and August, after the Federal Bureau of Investigation issued warnings to banks and credit unions about targeted attacks. Then on Aug. 17, the FBI's Internet Crime Complaint Center issued a public alert about a Citadel attack launched with ransomware feigning to be from the FBI.
Now, malware researchers at various security firms say they've discovered in the latest version of Citadel an element they've never seen before in a Trojan: a browser injection that launches fake pop-ups during online banking transactions. The social-engineering tool fools online users into re-entering bank account logins and passwords.
Researchers at information security companies, including RSA and Malwarebytes, are constantly monitoring underground forums, and that's how this next-generation version of Citadel was discovered. In those forums, Citadel developers claimed they successfully infected computers with this latest version, and they explained how it works, says Jerome Segura, a senior security researcher at Malwarebytes.
Experts say the best way for financial institutions to help protect their customers and members against this new risk is to offer them a crash course in Trojan-intrusion defense.
"Remind consumers and businesses about the risks out-of-date software versions pose," he says. That's because malware often exploits vulnerabilities identified in older versions, he says, which is why software companies are constantly issuing updates and patches.
Financial institutions should remind businesses and consumers alike that they should run full-system virus scans at least once per week, Segura says.
And they also should remind all online users to think twice before they enter usernames and passwords. "They need to take their time," Segura says. "If something seems odd, stop."
On Nov. 5, Segura blogged about Citadel's enhancements.
For example, the latest version of Citadel apparently can get past most commonly used anti-virus systems. Segura notes that hackers claim PCs relying on anti-virus solutions from Microsoft Security Essentials, McAfee, and Norton were infected. "That's kind of worrisome," he says.
What's more, Citadel's developers have enhanced the way they launch and manage Citadel attacks, says Limor Kessem, lead cyber-intelligence expert at RSA.
Through what Kessem calls "dynamic configuration," Citadel botmasters can increase their interactions with infected PCs. "This nifty function allows Trojan operators to create Web injections and use them on the fly, pushing them to selected bots without the hassle of pushing [or] downloading an entire new configuration file," Kessem writes of the latest Citadel version, known as the Rain Edition, in an Oct. 18 blog.
Citadel's enhancements signify a rapid evolution as well as the increasing expertise of the developers behind it, Kessem says.
"The trouble with Citadel is that it is commercial, so a lot more fraudsters buy it and use it than other Trojans like Gozi," Kessem says. "Yes, the people behind Gozi Prinimalka wanted to launch a big campaign and hire 100 botmasters; but we will still have far more attacks from Citadel."
Citadel's superior functionality wasn't the only issue that attracted attention early on. The business muscle behind the Trojan also sparked concern, Segura says.
"It seems to be a well-supported system, and the developers are getting paid well for it," Segura says. "The toolkit was going for $3,000 three months back; now it's selling for $4,000, with monthly contributions on top of that for additional features and modules."
Citadel is well protected, too. "It's only talked about in Russian-speaking [underground] forums, and it's becoming more difficult to get your hands on it," Segura says. Today, users have to pre-register for access to online forums where Citadel is sold.
Experts suggest later and greater versions of Citadel are on the way because underground interest is high. Staying ahead of those newer versions will require that the industry stay informed, says Rainer Enders, chief technology officer of the Americas for NCP Engineering, which specializes in secure remote access and virtual private network software.
"Citadel is pretty sophisticated," he says. "It calls for better security measures, and it's no secret that security has been too lax at too many companies in so many ways."
For Segura, Citadel's new pop-up feature will be tricky for banks to address. "You can see how easily it fools a user," he says.
More banking institutions are posting disclaimers on their sites about phishing attacks as well as legitimate ways institutions often communicate with customers and members.
But it's very easy for consumers to fall into the trap when fraudsters' pop-ups appear during an online session, Segura says. "It seems legitimate that the bank would ask additional questions or for additional information," he says. "The banking site is real. It's the pop-pup that is infected."
Nuances related to how Citadel is launched also raise concerns.
All Trojan attacks rely on browser- or Web-injected code. Standard keyloggers have performed in that way for years. And all Trojan attacks, until now, have comprised two parts: a binary file and a configuration file. The binary file infects a PC with the Trojan; the configuration file, which is sent by a botnet after the Trojan is installed, tells the Trojan how to act. "It instructs what URLs to contact, what URLs to attack and what to communicate to the botnet," Kessem says.
With the Rain Edition of Citadel, however, those Web injections are now customized without a configuration file. That means the botmaster, if he chooses, can wage his attack in real-time against a victim of his choosing, she says.
"The injection is more interesting than anything we've seen so far," Kessem says. "They've cut out the need to have to upload the config file, so now the botmaster doesn't have to send anything or wait for the bot to update the config file of the code. Now they can just choose the machine they want to access through their [control] panel."
That advancement is a significant leap forward in malware, Segura says.
"These are custom Web injects," he says. "They can be launched automatically, based on traffic that is going to a site, or you as the hacker can launch it manually, in real-time, by injecting custom script to just target a particular user."
Advice for Banks
So how can institutions mitigate their risks? Sticking with best practices is a good place to start. Security experts stress: