Researchers at IBM Trusteer have recently discovered targeted cyber attacks using a variant of the popular Citadel trojan on several Middle Eastern petrochemical companies. The Citadel Trojan is a malware designed to steal personal information, including banking and financial data, from infected machines. The Citadel Trojan was first discovered in 2012 and it is based on the source code of the banking trojan Zeus. Security experts have discovered numerous Citadel botnet over the years used to run large scale scams.
The experts consider the discovery as the first time Citadel trojan is used to target nonfinancial entities in a targeted for corporate espionage.
“The targets of this attack include one of the largest sellers of petrochemical products in the Middle East and a regional supplier of raw petrochemical materials. IBM has worked with the appropriate channels to responsibly disclose this information to the targeted companies.” reports a blog post published by SecurityIntelligence.
The availability online of the Zeus source code has made possible a significant improvement of the Citadel malware whom functionalities are improved by several malware authors. The latest versions include sophisticated remote management and data stealing capabilities. In the specific case, threat actors configured Citadel bots to spy on users’ activity on certain URLs (e.g. “http://mail.target-company.com,”), such as the webmail of the targeted companies, and to grab every data provided in the form. The information collected through the form grabbing is sent to the a C&C server managed by cyber criminals, who can then log in on behalf of the victim, access corporate emails and manage his email account.
“Once Citadel is installed on a machine, it fetches a configuration file from one of its command-and-control servers. The configuration file instructs Citadel on which websites and applications to target, which information to steal and how to steal it. According to an analysis of the configuration file used in this attack, the Citadel malware was instructed to look for user access to certain URL addresses of Internet-connected systems, such as webmail, of the targeted companies. Once the browser accesses such a URL, the malware is instructed to grab all the information submitted by the user. This is known as form grabbing, or “HTTP POST” grabbing. When the user submits information into the system, the Web browser generates an HTTP POST request that sends the data entered to the site. The malware then intercepts the POST data before it is encrypted and sent to the server.” continues the post.
The functions available with Citadel Trojan and other malware families include:
The above features make this category of malicious code very effective for targeted attacks and in the past many APT groups have already exploited these kind of source codes.
APTs use to compromise their targets adopting similar malware in malicious phishing campaigns, drive-by downloads attacks, watering hole attacks and social engineering schemes as confirmed by the experts at Trusteer.
“IBM Trusteer research found that an average of 1 in 500 machines worldwide is infected with massively distributed APT malware at any point in time. IBM Trusteer’s Service team reports that they have discovered such malware in practically every customer environment in which they’ve worked.”
Let’s close the post with an interesting couple of graphs proposed by the IBM Trusteer research team, which show the geographic distribution of APT malware infection rates:
(Security Affairs – Citadel trojan, APT )
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.