Citadel Malware Used to Infiltrate Airport VPN

The Citadel Trojan is really starting to become kind of a pain in the neck. Not content to sit by and watch while its more well-known rivals Zeus and SpyEye get all the attention, the Citadel malware has begun showing up in some interesting places, with the latest example being the discovery of the Trojan being used to steal VPN credentials for internal users at a major airport.

The Citadel Trojan is really starting to become kind of a pain in the neck. Not content to sit by and watch while its more well-known rivals Zeus and SpyEye get all the attention, the Citadel malware has begun showing up in some interesting places, with the latest example being the discovery of the Trojan being used to steal VPN credentials for internal users at a major airport.

The attack is a two-stage operation that is designed to defeat the strong authentication application that the airport had in place. Researchers at Trusteer discovered the attack and notified officials at the unnamed airport, who then disabled employee access through the VPN.

Airports are target-rich environments for attackers, thanks to their open wireless networks and the huge population of transient users who are all too eager to use them. Man-in-the-middle attacks on airports’ public networks are common, but this particular attack didn’t target the public network or users but instead went after the airport’s employees and their remote-access application. Getting access through any corporation’s VPN system is a huge win for an attacker, because once she comes in as an authenticated user, she enjoys all of the access ad privileges on the network that the victimized user does.

In this particular episode, the attackers used a couple of well-known techniques in order to circumvent the security measures the airport had in place and make off with the victims’ VPN credentials.

“This attack uses a combination of form grabbing and screen capture technologies to steal the victim’s username, password, and the one-time passcode generated by a strong authentication product (we have also contacted this vendor). The first part of the attack uses form grabbing to steal the username and password entered into the login screen. The second part of the attack relies on screen capture capabilities to take a snapshot of the image presented to the victim by the strong authentication product,” Amit Klein of Trusteer wrote in an analysis of the attack.

The product that the airport was using to provide strong authentication for employees gave each user two choices: log in with a username and a one-time password that’s sent via SMS or a smartphone app; or log in using a CAPTCHA-like image of 10 digits that the user maps to his own static password. The Citadel malware used the screen-capture tactic to defeat this.

“This security measure prevents the form grabber from capturing the actual static password. This is where the screen capturing feature in Citadel kicks in,” Klein said.

“By capturing the image, the attacker uses the permutation of digits, along with the one-time code stolen by the form grabber, to reproduce the static password.”
The Citadel malware is a close cousin of the Zeus crimeware kit and typically is used as a banker Trojan, stealing users’ online banking credentials and allowing attackers to drain victims’ bank accounts. In July RSA researchers said that the Citadel team may be removing its creation from the Web and only selling it to private clients. Since then it’s shown up in a variety of new attacks, and has been used in some ransomware operations involving the Reveton malware as well.

Suggested articles