What does the Poetry with Citadel trojan?

Pierluigi Paganini February 23, 2013

Recently I published an article on the attacks against Japanese banks using a new variant of the popular Zeus, one of the most prolific malware of recent history, security experts in fact have detected various versions of the popular malicious code that hit also mobile and social networking platforms.

Due its flexibility the malware has been reengineered several times by cyber criminals that adapted its structure to specific purposes and context, leaving unchanged its core capabilities of stealing banking credentials of victims.

Zeus has been a huge success in the criminal circles especially for the sales model, as malware as service, implemented by its authors on many underground sites, let’s remind for example the Citadel Trojan one of the most popular on the crimeware market. Fortunately its author, known as Aquabox, has been banned from a large online forum that sells malware and other services to cybercriminals, but many security firms consider Citadel trojan still very active threat that continues to infect many machines all over the world.

Security experts from McAfee Labs are sure that the agent will remain active for a long time, it also indicate that some groups of hackers are staring to use the malware for other purposes such as the cyber espionage.  McAfee Global Threat Intelligence report indicates the “Poetry Group” is one of the most active in this sense, the collective compromised 27 Japanese government offices across three distinct campaigns and targeted around 43 government offices in Poland. The group was very aggressive in October 2012 when it conducted more than a half-dozen campaigns infecting victims in Poland, Denmark, Sweden, Spain, Netherlands, Estonia, Czech Republic, Switzerland, and Japan, compromising more than 1,000 victims worldwide.

The researchers from McAfee Labs were able to pinpoint the regions “and identify targets and victims spanning more than a half-dozen campaigns”, the highest infection rate were registered in Denmark, Poland, Spain and Japan.

Citadel-ThreatChartMCAfee

Curiously Japan is one of the most targeted countries by cyber espionage campaign, in many cases we have spoken about cyber attacks malware based that hit industry and government offices of the state.

The victims located in Poland appears to be all government offices and the exerts discovered that attackers conducted a targeted campaign on specific targets across the country from December 2012 to January 2013.

Nice the way the hackers used to “identify” their works, they in fact added strings of poetry in the malware binary, Ryan Sherstobitoff, a McAfee researcher declared:

“We’ve found them making political statements against the groups they are targeting,” 

McAfee analysts detected more that 300 unique Citadel Trojan samples, each of them included its sequence of poetry strings  that aren’t automatically generated , the specialists suspect that Poetry Group may be a byproduct of a for-hire data-gathering operation for a private clientele.

PoetryCitadel

In the fight against malware such as Citadel it is fundamental a layered approach that was able to detect the cyber threats and also any suspect behavior within target networks. In many cases such malware are demonstrated to be able to elude common antivirus systems and their behavioral detection mode.

Unfortunately these agents are able to remain silently for a long period infiltrating internal systems and remaining undetected in the target networks for long time.

The adaptation of the Citadel malware for other uses is a scaring signal due the capabilities of the malicious agent, the Trojan make possible remote control of victims and is able to steal any kind of information, not only banking credentials from victims. Sherstobitoff added:

“If they wanted to penetrate the entire network of a financial institution or some other organization, they could,”

Waiting for further updates on the operations of the Poetry Group lets keep update antivirus software and any other application that runs on our systems, because as Sherstobitoff  added

“These attacks result from not taking patch management seriously,”.

Pierluigi Paganini



you might also like

leave a comment