Citadel Trojan Moves Beyond BanksMalware Targets New Global Sectors, Intellectual Property
Despite its commercial removal from underground forums last year, the highly sophisticated Trojan known as Citadel is now a global threat to multiple business sectors, not just financial services, according to researchers at McAfee Labs.
This latest version of Citadel, an advanced Zeus variant originally designed to steal online banking credentials, is now being used to steal intellectual property. And everything from government agencies and healthcare organizations to manufacturing companies, the oil and gas industry, and educational institutions is being targeted, researchers warn.
The financial sector, of course, remains a primary target, says Ryan Sherstobitoff, a McAfee researcher who's published a report about Citadel's new global targets. But the measures banks and credit unions have in place to detect incidents of account takeover, which often result when keyloggers like Citadel hijack online credentials, are no longer enough.
"Institutions have to think about defense in-depth," Sherstobitoff says. "You can't just rely on cash management systems or anti-virus software to detect an intrusion or anomalous behavior."
These recent Citadel attacks reveal hackers are infiltrating internal systems and staying in the network for stretches of time, often undetected.
For banking institutions, and others, the best defense is internal network monitoring to determine if files and systems are being accessed - even if no fraudulent transactions result.
"Monitoring internal ... controls is just as important as monitoring the transaction associated with an online banking customer's account," Sherstobitoff says. "If you don't know who's in your network, you have to monitor what is going on - what's being accessed, downloaded and viewed."
Since October, Citadel has been used to steal intellectual property, not just take over online banking accounts, Sherstobitoff says. A network of attackers known as the Poetry Group is suspected of developing this variant of the malware to pose a more critical threat, he adds.
"From our field telemetry, we were able to pinpoint the regions and identify targets and victims spanning more than a half-dozen campaigns," Sherstobitoff says. "The attacks are moving from targeting just financial information to targeting data and company secrets."
What stands out about the message behind the attacks, and makes them different from Citadel strikes documented in 2012, is the insertion of poetry as a string-table resource within the malware binary code, he says.
"We've found them making political statements against the groups they are targeting," Sherstobitoff explains.
But McAfee does not believe the Poetry Group is waging its attacks for a social cause. Instead, researchers suspect the group is a data-gathering operation on the market for hire, Sherstobitoff says.
Researchers also suggest the Poetry Group is likely of English origin, because many of the poetic statements contained in the attacks reference England and English kings. McAfee has traced many of the attack control servers to hosted sites in the United States, although the targeted entities were often located in Denmark, Sweden and Poland.
A Security Reminder
Citadel's shift from solely a banking Trojan to a cyber-espionage tool is a first, Sherstobitoff says. "We typically don't see banking malware used for purposes other than stealing money from victims," he writes in his report.
But Sherstobitoff stresses that any malware can used for a new purpose. Just because a Trojan is developed to target banking accounts does not mean other industries are immune.
"The owner of the botnet can get in to customize Web injects and automate certain applications," he explains.
In the case of Citadel, because the Trojan offers attackers remote access, and can capture any information entered on an infected user's PC screen, the use of compromised data and information for a future attack should be a top concern, Sherstobitoff says.
"If they wanted to penetrate the entire network of a financial institution or some other organization, they could," he says.
The best precaution organizations can take is to ensure anti-virus software and systems are up-to-date. "These attacks result from not taking patch management seriously," Sherstobitoff adds.