With builders for the Citadel Trojan freely available on any number of underground criminal forums, it’s no surprise to see some legs left in the malware despite a takedown of more than 1,400 Citadel botnets less than a month ago by U.S. law enforcement and Microsoft.
A new variant has popped up in the last few weeks targeting not only banks and financial institutions, but social networks and ecommerce websites such as Amazon. The malware triggers on infected machines when it browses to the target site and delivers an HTML injection that looks like a legitimate log-on page. The injection screen contains detailed localized content, specializing in Italian, Spanish, French, German, British, American and Australian targets for each brand in question.
“We did see a lot of effort to create custom scripts per local infection. The dropdowns are localized and there are specific data elements for different geographies,” said Etay Maor, Trusteer fraud prevention solutions manager. “This group localized things a person from a specific country would expect to see. They went to great effort to localize this.”
The Trojan is after credentials and other personal information such as payment card information. The group behind this variant seems to keep a low profile and is controlling distribution and could be stockpiling credentials and personal information to sell off.
“They have a different way of storing data and have built databases for regions. That makes me think they’re going to sell the information rather than use it,” Maor said. Localized credentials, for example, have more value than a scattered list of user names and passwords. “For people who sell credentials, it’s a big difference to say they have 100 Italian credentials. For example, it doesn’t help to have American account information if you’re working in Italy. You can use it, but you need an accomplice who knows the local rules.”
The ruse used by the injection page is that there has been suspicious activity detected on an Amazon account, for example, and that the account has been blocked. Even the warnings have been localized, Maor said. The malware collects passwords and credit card details.
“What we’ve seen is an interesting group, a low-profile team. This variant is not sold as we’ve seen other variants sold,” Maor said. “The distribution isn’t huge, but it is significant. They’re very good at protecting stored stolen credentials, and very good at making the malware hard to research. These are not your average hackers; they didn’t just buy a version of the Citadel malware. They took the extra step to make it covert and sustainable, and to localize it.”
The criminals’ expansion beyond banks and financial institutions toward ecommerce targets brings the malware into new markets and new regions, Maor said.
“You can see the injections are professional. There are no grammar mistakes and the logos all look real,” Maor said, adding that victims are likely infected via drive-by downloads. “But if you log into Amazon and you see a screen you’ve never seen before, even one that warns you that your account will be shut down, you should be a little more skeptical.”
In the meantime, even with high-profile botnet takedowns, Citadel and other malware families continue to be profitable and have longevity.
“They disrupted more than 1,000 botnets operated by Citadel, but it’s important that people understand that while the operation was important, it didn’t solve the problem,” Maor said. “They disrupted botnets that were up and running, but anyone who has the Citadel builder can build a new variant and distribute it. They didn’t eliminate Citadel. Yeah, business took a hit, but it can be recreated.”