Banking malware has primarily been just that, an attack tool used against financial institutions to steal money from online bank accounts. But what if cybercrime gangs decided to flip that on its head, and use malware such as the Citadel banking Trojan to steal credentials from not only banks, but government agencies and commercial businesses?

That situation apparently has been in play since late December. McAfee reported this week that it has observed an uptick in attacks, primarily in Europe, where Citadel has been used to attack government offices in Poland, businesses in Denmark and Sweden, as well as government agencies in Japan.

The use of Citadel, a less-circulated variant of the Zeus malware, is noteworthy because Citadel was removed from commercial underground marketplaces last June after its author Aquabox was banned from trading and said he would sell only to referrals. McAfee has observed 300 Citadel samples still active in the wild compromising more than 500 victims in Europe. By comparison, fewer than a dozen have been compromised in the United States. By comparison, Zeus infections number in the tens of thousands, McAfee’s Ryan Sherstobitoff said in the company’s report, “Inside the World of the Citadel Trojan.”

“[Zeus] doesn’t seem to seek special targets; on the other hand, gangs that use Citadel tend to be very population specific, targeting countries and even specific cities with this advanced Trojan,” he wrote. “Variants of Citadel have struck victims in a single country, and in some cases, a single city.”

Sherstobitoff relayed one rash of infections in Madrid, Spain, that hit fewer than a dozen victims, which in addition to the attacks in the rest of Europe, seem to reinforce that Citadel is being used for other campaigns other than financial fraud; consumers are also not being targeted.

“Some campaigns involving government targets lack a malware configuration file containing banking targets,” Sherstobitoff wrote. “In these cases, it is likely Citadel is being used for purposes other than financial fraud.”

The targeted attacks against commercial and government entities using Citadel are harvesting credentials for a variety of internal business applications, banking system applications, manufacturing systems and more. The credentials are not necessarily being used immediately, the report said. Citadel is also being used to drop additional malware and steal data using command and control servers as data drops.

The latest version, Citadel 1.3.45, is marketed underground as the Extreme Edition. It has the capability to allow a virtual network computing connection from command and control to individual victims, enabling the attacker to script attacks specifically for the targets in question. McAfee said this is the first time it has seen banking Trojans used in targeted attacks.

McAfee said it observed two separate attacks carried out against government offices in Poland and commercial businesses in Denmark and Sweden using Citadel. The attacks had unique strings in the malware’s process memory that are consistent across all the attacks, as well as a common URL path between the victims and where the credentials are dropped. Also, lines of Old English poetry are sprinkled throughout the binaries, leading McAfee to dub the gang, the Poetry Group.

Local and city governments in Poland were targeted from October to December, and the attackers were after access to secure areas on 48 agencies’ networks such as email and other resources. The control servers, meanwhile, were located in the United States, Finland and Kuala Lumpur. In one campaign, there were 156 victims infected with the same Citadel variant, while in another, 36 victims were hit, again, mostly in the Polish government with command and control located in Canada and Germany.

The Poetry Group, however, was not all about credential harvesting and dropping malware for later use. McAfee said it saw attempts to steal money from victims with high assets using an Automated Transfer System (ATS) that targeted customers of one of Poland’s leading financial institutions.

“We expect that [Citadel’s] targets will shift as more cybercriminals realize the benefits of Citadel go beyond financial fraud,” the report said. “There is significant amount of recent activity, as late as Jan. 13,to suggest that private customers will continue to use Citadel to attack business and government organizations.”

Categories: Malware

Comments (3)

  1. Dick

    The article just mentions cases of a few hundreds victims. Why did the article not mention the 150.000 infections that happened in the Netherlands towards the end of 2012?

  2. Cher

    Hi, Is the ABOUT:BLANK supposed “tpojan” virus one of te Citabdels? No one seems to be able to help me with this not even Kaspersky. I wont describe it as I have done so in another post under another topic. Anyone know if this stems from Citadel?

Comments are closed.