Citadel Trojan Moves Beyond Banks

Malware Targets New Global Sectors, Intellectual Property
Citadel Trojan Moves Beyond Banks

Despite its commercial removal from underground forums last year, the highly sophisticated Trojan known as Citadel is now a global threat to multiple business sectors, not just financial services, according to researchers at McAfee Labs.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

This latest version of Citadel, an advanced Zeus variant originally designed to steal online banking credentials, is now being used to steal intellectual property. And everything from government agencies and healthcare organizations to manufacturing companies, the oil and gas industry, and educational institutions is being targeted, researchers warn.

The financial sector, of course, remains a primary target, says Ryan Sherstobitoff, a McAfee researcher who's published a report about Citadel's new global targets. But the measures banks and credit unions have in place to detect incidents of account takeover, which often result when keyloggers like Citadel hijack online credentials, are no longer enough.

Defense Strategy

"Institutions have to think about defense in-depth," Sherstobitoff says. "You can't just rely on cash management systems or anti-virus software to detect an intrusion or anomalous behavior."

These recent Citadel attacks reveal hackers are infiltrating internal systems and staying in the network for stretches of time, often undetected.

For banking institutions, and others, the best defense is internal network monitoring to determine if files and systems are being accessed - even if no fraudulent transactions result.

"Monitoring internal ... controls is just as important as monitoring the transaction associated with an online banking customer's account," Sherstobitoff says. "If you don't know who's in your network, you have to monitor what is going on - what's being accessed, downloaded and viewed."

Citadel's Evolution

Since October, Citadel has been used to steal intellectual property, not just take over online banking accounts, Sherstobitoff says. A network of attackers known as the Poetry Group is suspected of developing this variant of the malware to pose a more critical threat, he adds.

"From our field telemetry, we were able to pinpoint the regions and identify targets and victims spanning more than a half-dozen campaigns," Sherstobitoff says. "The attacks are moving from targeting just financial information to targeting data and company secrets."

What stands out about the message behind the attacks, and makes them different from Citadel strikes documented in 2012, is the insertion of poetry as a string-table resource within the malware binary code, he says.

"We've found them making political statements against the groups they are targeting," Sherstobitoff explains.

But McAfee does not believe the Poetry Group is waging its attacks for a social cause. Instead, researchers suspect the group is a data-gathering operation on the market for hire, Sherstobitoff says.

Researchers also suggest the Poetry Group is likely of English origin, because many of the poetic statements contained in the attacks reference England and English kings. McAfee has traced many of the attack control servers to hosted sites in the United States, although the targeted entities were often located in Denmark, Sweden and Poland.

A Security Reminder

Citadel's shift from solely a banking Trojan to a cyber-espionage tool is a first, Sherstobitoff says. "We typically don't see banking malware used for purposes other than stealing money from victims," he writes in his report.

But Sherstobitoff stresses that any malware can used for a new purpose. Just because a Trojan is developed to target banking accounts does not mean other industries are immune.

"The owner of the botnet can get in to customize Web injects and automate certain applications," he explains.

In the case of Citadel, because the Trojan offers attackers remote access, and can capture any information entered on an infected user's PC screen, the use of compromised data and information for a future attack should be a top concern, Sherstobitoff says.

"If they wanted to penetrate the entire network of a financial institution or some other organization, they could," he says.

The best precaution organizations can take is to ensure anti-virus software and systems are up-to-date. "These attacks result from not taking patch management seriously," Sherstobitoff adds.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.