FBI Warns of New Twist to Reveton, Citadel Malware Scams

The cybercrime group behind the Citadel malware and Reveton ransomware has upped the stakes with a new extortion technique, the FBI’s Internet Crime Complaint Center said today.

The cybercrime group behind the Citadel malware and Reveton ransomware has upped the stakes with a new extortion technique, the FBI’s Internet Crime Complaint Center said today.

Reveton scams have now co-opted the Internet Crime Complaint Center with a new fake warning to users whose computers have been infected.

“In addition to instilling a fear of prosecution, this version of the malware also claims that the user’s computer activity is being recorded using audio, video, and other devices,” an FBI advisory said.

Victims usually are lured to a website hosting the malware. Once Reveton has been installed, the victim’s computer is locked up and a screen materializes with a warning that Federal law has been violated. The victim also sees a message that the FBI has determined that the user’s IP address has accessed child pornography and other illicit content.

The victim is instructed that the only way to unlock their computer is to pay a fine via a prepaid money card service, the FBI said.

“In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud,” the advisory said.

Despite the fact that some victims have paid up, they quickly learn they’ve been scammed and their machines are not unlocked.

The FBI has warned about Reventon infections before but earlier scams did not threaten victims with video and audio surveillance.

Citadel is a constantly evolving malware platform. In October, its authors update the malware with a dynamic configuration module that allows them to inject code directly into compromised browsers in real time.

This new feature lessens the chance that the malware would be detected by security software since this would eliminate the need for update configuration files to be sent to each bot.

“This shows us that this team is really serious. Their development skills are very strong; these are not amateurs,” siad Limor Kessem of RSA Security in an interview with Threatpost.

The Dynamic Config injection mechanism keeps a botmaster from having to open external communications channels to send injection files or updates to configuration files. Once a victim is compromised, Kessem said, the botmaster can use HTML or Javascript injections on legitimate banking or ecommerce pages and via a Javascript popup, for example, ask a user for additional log-in or personal information such as date of birth or a Social Security number.

Citadel is an advanced platform. It updates almost quarterly with new features that indicate a level of professional development, organization and resources. It also runs on an open source model of sorts, support its own customer relationship management, support teams and user forums where issues are discussed.

In July, experts noted chatter that Citadel might be taken off the market in underground forums and updates would be limited only to existing customers.

Suggested articles


  • jan on

    I'm not happy with the level of support I am getting on my ransomware. What is the use of holding my data to ransom without providing me clueless Indian helpdesk technicians following a script that leads nowhere? I don't care if it has advanced code injection. I demand superior software support on a premium toll line, or I'm going to switch to another ransomware provider.
  • Anonymous on

    I agree, I'm already stressed about my infected computer and having to decode a heavy Mumbai accent is not easy when you're already tired from trying to unlock your PC. I hate getting transferred to overseas support almost as much as listening to the same cheezy music loop over and over when I'm on hold.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.