Citadel Variant Used in Attacks Against Middle Eastern Petrochemical Companies

IBM reports a variant of the Citadel banking Trojan was spotted in APT-style targeted attacks against petrochemical companies in the Middle East.

Cybercrime tools continue to crossover into the realm of nation-state targeted attacks, with the latest example being a variant of the Citadel banking Trojan used in attacks against petrochemical companies in the Middle East.

The attacks took place within the past few months, said researchers at IBM Trusteer who spotted repurposed versions of Citadel on the companies’ networks. The revamped Citadel targeted URLs such as the companies’ webmail, and lay in wait until the user landed on the particular URL before it began recording credentials and sending them off to a central server. From there, the attackers had legitimate access to employee or contractor emails and could read and send messages and kick off phishing campaigns seeking deeper access to the victims’ networks.

The victims, said Dana Tamir, director of enterprise security at IBM, included one of the largest sellers of petrochemical products in the Middle East.

The victims, said Dana Tamir, director of enterprise security at IBM, included one of the largest sellers of petrochemical products in the Middle East and a regional supplier of raw petrochemical materials. Tamir would not say how much access the hackers had, nor whether they were successful in stealing intellectual property or communication from the organization.

Targeted attacks against critical industries are nothing new; attacks against chemical, energy utilities and defense organizations are rampant. But those hacks generally involve a mix of off-the-shelf commodity exploits and a dash of zero-days if necessary. The trend of using cybercrime tools is a growing one, Tamir said, because these attackers can take advantage of the massive distribution of these malware samples worldwide. IBM estimates, for example, that one in 500 computers is infected with what it calls “APT malware.”

“We started seeing this trend a few years ago, sporadic attacks,” Tamir said. “We’ve seen it here and there and thought this might be a trend that would pick up. Recently, it’s gained a lot of momentum.”

Just last week, Salesforce.com published an alert to its customers, warning that the Dyre, or Dyreza, banking Trojan was repurposed to steal Salesforce credentials. These attacks pose a real threat to enterprises since Salesforce, a SAAS business application, stores valuable financial and customer data that would have value to competitors or on the black market.

Repurposing banking malware to “APT malware” isn’t a major leap for an attacker. These malware families already can phone home to a centralized server, and many come with keyloggers and other information-stealing capabilities. This particular Citadel variant also included a form-grabber, or HTTP POST grabber—which steals user input from a form before it’s encrypted via SSL, for example. Banking Trojans also come with HTML injects, that allow an attacker to inject HTML content onto a webpage in order to fool the user with phony warnings or requests for log-in information.

“Financial malware started as man-in-the-browser attacks with a keylogger and some other basic capabilities that over the years have become more advanced,” Tamir said. “These Trojans are highly evasive and bypass detection controls. Second is the massive distribution of these Trojans. They are pushed out in massively distributed campaigns via malvertising, phishing, drive-by downloads and others methods to get on as many machines as possible. We’re seeing them in just about every organization.

“Now these Trojans are highly sophisticated tools,” Tamir said. “In order to turn a banker into an APT tool, all you need to do is provide it with a new target, which is just a new configuration file with a new target and boom, it looks for those targets.”

Suggested articles