It turns out that malware authors–at least some of them–may have an interest in economics. Perhaps worried about market saturation or commoditization, the distributors of the Citadel malware, which has been used to deliver ransomware in the past, are apparently about to take their creation off the market.

Citadel may not be the most famous piece of malware, but it’s done its fair share of dmagae. The program has been used in a variety of scams in the last few months, including the installation of a strain of ransomware called Reveton. In that instance, attackers were using Citadel in drive-by downloads to install Reveton, which was then locking up victims’ computers and demanding a $100 fee to unlock them. 

Citadel is an interesting case, because the malware, which is sold for several thousand dollars, includes a kind of community aspect, through which users can communicate with developers about feature requests, bugs and other issues. Researchers found in February that the Citadel crew had adopted this model of community development and contribution, but it seems that crew might have decided its time to pull down the periscope and go quiet for a little while.

“With law enforcement hot on their heels, developers of the Citadel Trojan, who recently communicated the release of a new version (v1.3.4.5), dropped the bomb. The team’s spokesman declared that very soon their ‘software’ will no longer be publicly available through the underground venues where the team has traditionally marketed and sold Citadel.  It appears that soon enough only existing customers will continue to enjoy Citadel Trojan upgrades and those wishing to purchase a new kit from the outside will have to get a current customer to vouch for them or be denied the product altogether,” RSA Security officials said in a blog post. 

Researchers have been on the trail of Citadel for some time now, as have law enforcement agencies. The ransomware scam that was installing Reveton earlier this year also was presenting itself as a warning from the Department of Justice about there being illegal content on the victim’s machine. Law enforcement officials tend to take a dim view of criminals using their names as part of a scam, and that crew now has the attention of the DoJ, a career-limiting move.

The authors of Citadel, which is a derivative of Zeus, likely are not enjoying that attention.

Malware developers working on criminal-popular projects like Citadel rightfully fear law enforcement.  Their actions of developing, supporting and selling advanced crimeware makes them an accessory to the crimes which can easily get them indicted alongside their botmaster customers. The more popular the banking Trojan becomes, the more banks and merchants push to have its developers and bot masters behind bars,” the RSA researchers said.

Categories: Malware

Comment (1)

  1. Anonymous

    The FBI Ransomware varient of this malware is still attacking my customer’s machines. I assume it is acquired by drive-by-downloading. Those questioned so far generally have no idea where they got the malware. The last websites before screen lockdown have been either unknown or as the latest customer reported, Facebook was the last site visited. So far, the malware has been removed manually. Malwarebytes or an antivirus run on these machines reports no infection in safe mode, which I find odd. The malware has been out for awhile so the signatures must be changing rapidly?

Comments are closed.