Citadel Malware Variant Allows Attackers Remote Access, Even After Removal

A new variant of the Citadel banking Trojan has been discovered where the attackers are using Windows remote shell commands to be enable Remote Desktop Protocol access, even if the malware is discovered and removed.

When hackers have compromised a valuable computer, maintaining persistence on that machine is the key to maintaining access to its resources and stored assets.

A new variant of the Citadel banking malware has been discovered that comes with a feature that allows the attacker to leverage remote management tools in order to own machines, even after the malware has been detected and removed.

Citadel has come bundled with VNC (Virtual Network Connection) since Day 1, giving an attacker remote access to the infected device in order to manually steal from high-value accounts, for example. It also comes with Windows shell commands giving the hacker a peek at the network the compromised machine lives on.

Researchers at IBM, who discovered the new twist to Citadel, said that the use of VNC and other remote management tools help hackers avoid detection because most security gear will be looking for automated scripts rather than someone operating manually over VNC, which is likely whitelisted for legitimate remote administration. Hackers, IBM said, also use it for HTML injections in order to steal banking credentials. However, once the malware is spotted and removed, its VNC capabilities have been removed as well.

To counter that and maintain a presence on devices after Citadel has been wiped from a machine, in this version of the malware the attacker has figured out how to use Windows shell commands to add a new local user to the machine, and add that user to the local administrator and Remote Desktop Protocol groups with a password that never expires, IBM said.

“The attacker has set up a backup back door into the infected device,” wrote researcher Etay Maor in a blogpost. “Attackers benefit in the following ways when utilizing such a trick, especially when they are preparing for a persistent, long-term attack against an enterprise.”

Now with this version of Citadel, the attacker is able to use RDP to access the device, playing on the notion that the user believes their machine is secure now that Citadel has been wiped, Maor said.

“While malware modules and communications may be more vulnerable to interception and analysis by security software, using the Windows-native RDP capabilities may fly under the radar as some companies actually use this exact same protocol for technical support,” Maor said.

Citadel is an offshoot of the Zeus banking Trojan. In June 2013, however, Microsoft and the FBI carried out takedowns that eradicated more than 1,400 botnets associated with Citadel. Servers were seized at two hosting facilities in the U.S. and within two months, Microsoft said 88 percent of Citadel botnets were down.

The takedown also wiped out legitimate domains that were sinkholes used by malware researchers in order to track Citadel. Swiss researchers at estimated that 25 percent of the seized domains were legitimate sinkholes operated by researchers.

Suggested articles