The Citadel Trojan has once again branched out beyond its roots as banking malware and is now targeting the master passwords guarding major password management products.

Researchers from IBM Trusteer today said they’ve notified makers of the nexus Personal Security Client, Password Safe and KeePass about a new configuration file found on an infected computer targeting processes used by the respective password management tools.

“It instructs the malware to start keylogging when some processes are running,” wrote Dana Tamir, director of enterprise security at IBM Trusteer.

Tamir said the Personal.exe process in nexus Personal Security Client, PWsafe.exe from Password Safe and KeePass.exe are called out by the new Citadel configuration files. In each case, the malware seeks out and captures the master password that unlocks the password database stored by the password management tool.

NeXus Personal Security Client is cryptographic middleware used in enterprise and service provider locations to secure financial transactions, ecommerce and other services from the desktop. Password Safe, meanwhile, is an open source tool built by Bruce Schneier. KeePass is also a free, open source password manager, but it uses a random password generator preventing the user from having to come up with individual passwords. The Trojan, however, sidesteps that protection by stealing the master password.

“An analysis of the configuration file shows that the attackers were using a legitimate Web server as the C&C,” Tamir said. “However, by the time the IBM Trusteer research lab received the configuration file, the C&C files were already removed from the server, so researchers were not able to identify who is behind this configuration.”

Tamir could not confirm whether these are opportunistic or targeted attacks.

IBM said it has notified the respective vendors in order that users might be notified as well.

Citadel, like most widely distributed malware families, is crossing over more and more from the realm of cybercrime to APT-style targeted attacks. New features and a hunger for legitimate credentials make the malware, which is already sitting on hundreds of thousands of machines, particularly dangerous to critical infrastructure, in addition to financial services.

In September, a Citadel variant was used in attacks against petrochemical companies in the Middle East. IBM said at the time that the repurposed versions of Citadel were going after email credentials in order to phish others within an organization or gain deeper access to a compromised network.

Tamir estimates that one in 500 computers is infected with malware used in targeted APT attacks.

“Since millions of machines are already infected with Citadel, it is easy for attackers to take advantage of this malware in new cyber schemes,” Tamir said. “All attackers need to do is provide a new configuration file to the millions of existing instances and wait for infected machines to access the targets.”

Citadel can sit dormant on an infected computer until a user lands on a particular site; depending on how the malware is configured, it can be triggered by visiting a specific online banking site or web-based email log in.

“It can stay idle on a user’s machine for weeks, months and even years until it is triggered by a user action,” Tamir said. “This means that many users and organizations do not know that their machines are already infected, and the existing infection can be quickly turned against them.”

Categories: Critical Infrastructure, Malware, Web Security