Citadel Trojan Tough for Banks to Beat

Experts: Enhanced Trojan is Fiercest Banking Malware Yet

By , November 12, 2012.
Citadel Trojan Tough for Banks to Beat

The banking Trojan known as Citadel, which debuted in underground forums in January 2012, has evolved to become one of the financial industry's greatest worries, cybersecurity experts say.

See Also: I Found an APT: Now What? Operationalizing Advanced Threat and Breach Response

Citadel, an advanced variant of Zeus, is a keylogger that steals online-banking credentials by capturing keystrokes. Fraudsters then use stolen login IDs and passwords to access online accounts, take them over and schedule fraudulent transactions.

Hackers from Eastern Europe are believed to be behind Citadel, a Trojan specifically designed for financial fraud and sold on the black market.

Citadel got attention in July and August, after the Federal Bureau of Investigation issued warnings to banks and credit unions about targeted attacks. Then on Aug. 17, the FBI's Internet Crime Complaint Center issued a public alert about a Citadel attack launched with ransomware feigning to be from the FBI.

Now, malware researchers at various security firms say they've discovered in the latest version of Citadel an element they've never seen before in a Trojan: a browser injection that launches fake pop-ups during online banking transactions. The social-engineering tool fools online users into re-entering bank account logins and passwords.

Researchers at information security companies, including RSA and Malwarebytes, are constantly monitoring underground forums, and that's how this next-generation version of Citadel was discovered. In those forums, Citadel developers claimed they successfully infected computers with this latest version, and they explained how it works, says Jerome Segura, a senior security researcher at Malwarebytes.

Experts say the best way for financial institutions to help protect their customers and members against this new risk is to offer them a crash course in Trojan-intrusion defense.

"Remind consumers and businesses about the risks out-of-date software versions pose," he says. That's because malware often exploits vulnerabilities identified in older versions, he says, which is why software companies are constantly issuing updates and patches.

Financial institutions should remind businesses and consumers alike that they should run full-system virus scans at least once per week, Segura says.

And they also should remind all online users to think twice before they enter usernames and passwords. "They need to take their time," Segura says. "If something seems odd, stop."

Citadel Enhancements

On Nov. 5, Segura blogged about Citadel's enhancements.

For example, the latest version of Citadel apparently can get past most commonly used anti-virus systems. Segura notes that hackers claim PCs relying on anti-virus solutions from Microsoft Security Essentials, McAfee, and Norton were infected. "That's kind of worrisome," he says.

What's more, Citadel's developers have enhanced the way they launch and manage Citadel attacks, says Limor Kessem, lead cyber-intelligence expert at RSA.

Through what Kessem calls "dynamic configuration," Citadel botmasters can increase their interactions with infected PCs. "This nifty function allows Trojan operators to create Web injections and use them on the fly, pushing them to selected bots without the hassle of pushing [or] downloading an entire new configuration file," Kessem writes of the latest Citadel version, known as the Rain Edition, in an Oct. 18 blog.

Citadel's enhancements signify a rapid evolution as well as the increasing expertise of the developers behind it, Kessem says.

"The trouble with Citadel is that it is commercial, so a lot more fraudsters buy it and use it than other Trojans like Gozi," Kessem says. "Yes, the people behind Gozi Prinimalka wanted to launch a big campaign and hire 100 botmasters; but we will still have far more attacks from Citadel."

Citadel's Evolution

Citadel's superior functionality wasn't the only issue that attracted attention early on. The business muscle behind the Trojan also sparked concern, Segura says.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE NIST Publishes Guide to Mobile Apps Vetting

Because of employees' increasing demands to use mobile devices at work, NIST's latest special...

Latest Tweets and Mentions

ARTICLE NIST Publishes Guide to Mobile Apps Vetting

Because of employees' increasing demands to use mobile devices at work, NIST's latest special...

The ISMG Network