Latest news
Citadel Trojan used in unusual targeted attacks
Posted on 04.02.2013
The Zeus/Zbot banking malware and its variants and derivates (such as the Citadel Trojan) have, until now, been used for stealing banking credentials from random users. But McAfee researchers have spotted a group of cybercrooks that use the Citadel Trojan in targeted attacks aimed at specific individuals in organizations in Europe and Japan.
Citadel's creator, who goes by the handle of "Aquabox", has recently been banned from one of the most popular underground forums for selling malware, but that was apparently not the end for Citadel.
McAfee's research unveiled that some cyber criminal groups have had the innovative idea of using Citadel in ways other than what it was originally intended for.
The Citadel Trojan is currently most prevalent in European countries, and the number of infections is rather small - around 1,000. The researchers estimate that some 300 different samples of the Trojan are currently active in the wild, and they can mostly be found on computers within commercial entities or government organizations.
"Variants of Citadel have struck victims in a single country and, in some cases, a single city," they shared in a white paper.
"We observed a Spanish campaign that used a single variant of Citadel to target the city of Madrid. The malware was distributed to fewer than a dozen victims. No prior or later samples were related to this campaign, and we consider this incident isolated. The targets were selected for reasons unknown. This case helps us see that Citadel is being used for interests other than financial crime."
Another indication that Citadel is being used for purposes other than financial fraud is that some campaigns involving government targets lack a malware configuration file containing banking targets.
"Citadel has features that extend beyond targeting customers of financial institutions. The malware can collect anything from a victim’s PC. Citadel Version 1.3.45, the 'Extreme Edition,' contains functionality allowing a simplified virtual network computing (remote control) connection to the victim. In other words the Trojan will establish (automatically if need be) from the control panel a hidden channel of communication with the victim’s PC," they explained.
In the dozen of campaigns spotted since last October, Citadel seems to be used for harvesting credentials from internal applications, banking system applications, manufacturing systems, and so on, as well as for exfiltrating other data.
The attacks have, for now, been concentrated on government offices in Poland, Japanese prefectures, and commercial entities in Denmark and Sweden.
McAfee researchers believe that they have all been perpetrated by a group they dubbed the "Poetry Group" on account of the poetic text they include in the malicious binaries. The verses are by Shakespeare, and often allude to the targets, making the researchers speculate that the attackers might be of English origin.
Apart from this, the various analyzed campaigns have other things in common: common URL paths for drop zones, unique strings that appear in the malicious process memory, and the targets (government entities in Nordic countries). Control servers for the campaigns are mostly hosted in the United States.
"After an analysis of 300 unique Citadel Trojan samples, we conclude that the poetry strings are not caused by a common tool nor or they included in Citadel by default; they are the work of the Poetry Group. We suspect that Poetry Group may be a byproduct of a for-hire data-gathering operation for a private clientele; and their tool of choice is Citadel," concluded Ryan Sherstobitoff, threats researcher with McAfee Labs and author of the white paper.
Citadel's creator, who goes by the handle of "Aquabox", has recently been banned from one of the most popular underground forums for selling malware, but that was apparently not the end for Citadel.
McAfee's research unveiled that some cyber criminal groups have had the innovative idea of using Citadel in ways other than what it was originally intended for.
The Citadel Trojan is currently most prevalent in European countries, and the number of infections is rather small - around 1,000. The researchers estimate that some 300 different samples of the Trojan are currently active in the wild, and they can mostly be found on computers within commercial entities or government organizations.
"Variants of Citadel have struck victims in a single country and, in some cases, a single city," they shared in a white paper.
"We observed a Spanish campaign that used a single variant of Citadel to target the city of Madrid. The malware was distributed to fewer than a dozen victims. No prior or later samples were related to this campaign, and we consider this incident isolated. The targets were selected for reasons unknown. This case helps us see that Citadel is being used for interests other than financial crime."
Another indication that Citadel is being used for purposes other than financial fraud is that some campaigns involving government targets lack a malware configuration file containing banking targets.
"Citadel has features that extend beyond targeting customers of financial institutions. The malware can collect anything from a victim’s PC. Citadel Version 1.3.45, the 'Extreme Edition,' contains functionality allowing a simplified virtual network computing (remote control) connection to the victim. In other words the Trojan will establish (automatically if need be) from the control panel a hidden channel of communication with the victim’s PC," they explained.
In the dozen of campaigns spotted since last October, Citadel seems to be used for harvesting credentials from internal applications, banking system applications, manufacturing systems, and so on, as well as for exfiltrating other data.
The attacks have, for now, been concentrated on government offices in Poland, Japanese prefectures, and commercial entities in Denmark and Sweden.
McAfee researchers believe that they have all been perpetrated by a group they dubbed the "Poetry Group" on account of the poetic text they include in the malicious binaries. The verses are by Shakespeare, and often allude to the targets, making the researchers speculate that the attackers might be of English origin.
Apart from this, the various analyzed campaigns have other things in common: common URL paths for drop zones, unique strings that appear in the malicious process memory, and the targets (government entities in Nordic countries). Control servers for the campaigns are mostly hosted in the United States.
"After an analysis of 300 unique Citadel Trojan samples, we conclude that the poetry strings are not caused by a common tool nor or they included in Citadel by default; they are the work of the Poetry Group. We suspect that Poetry Group may be a byproduct of a for-hire data-gathering operation for a private clientele; and their tool of choice is Citadel," concluded Ryan Sherstobitoff, threats researcher with McAfee Labs and author of the white paper.
Spotlight
Review: Logging and Log Management
Posted on 22 May 2013. | Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
