Citadel malware becomes APT tool in newest hacking campaign

APT attackers wielding a newer, more dangerous versions of the Citadel malware have been targeting a number of Middle Eastern petrochemical companies, Trusteer researchers have discovered.

The companies in question have been duly informed of the attacks, Dana Tamir, Director of Enterprise Security at Trusteer, has confirmed in a blog post. Among the targets are a supplier of raw petrochemical materials, as well as one of the largest sellers of petrochemical products in the region.

The attackers behind this particular campaign are still unknown.

“While the use of advanced malware that was originally built for financial theft as a generic advanced persistent threat (APT) tool is not new, this is the first time we’ve seen Citadel used to target nonfinancial organizations in a targeted/APT-style attack in order to potentially access corporate data, steal intellectual property or gain access to secured corporate resources, such as mail systems or remote access sites,” she noted.

Early versions of Citadel had Man-in-the-Middle capabilities and were geared towards stealing banking credentials, but current versions offer much more.

Instructed by the configuration file it downloads from a remote server the first time it runs on a target system, the malware waits for the user to access the company’s webmail system, then intercepts the login credentials he or she entered into the site.

This information is then sent to the attackers, who can then use it to log into the users’ corporate email account and all the information it contains, not to mention send out extremely credible phishing emails.

These newer Citadel versions are also capable of logging keystrokes, grabbing screenshots, injecting HTML content into legitimate Web pages, and allowing attackers to control the compromised machine remotely.

The malware also employs advanced evasion techniques to hide from AV solutions and evade security controls, as well as anti-research techniques to make its analysis difficult for security researchers.

“The use of massively distributed malware means that attackers don’t need to spear-phish targets or design custom malware. Instead, they use mass distribution techniques to infect as many PCs as possible,” Tamir pointed out, adding that IBM Trusteer’s Service team has discovered massively distributed APT malware in “practically every customer environment in which they’ve worked.”

Don't miss