Joint attack by banking Trojan and ransomware

The Citadel malware – a banking Trojan that is based on Zeus Trojan’s source code and whose creators have adopted a Software-as-a-Service approach when it comes to the modifications of the crimeware kit that produces its variants – is currently being delivered along with the Reveton ransomware.

“The attack begins with the victim being lured to a drive-by download website. Here a dropper installs the Citadel malware on the target machine which retrieves the ransomware DLL from its command and control server,” explains Trusteer’s Amit Klein.

The ransomware locks the targeted computer and pops-up a warning made to look like it’s coming from the US Department of Justice:

The message says that the IP address belonging to the user’s machine was identified as having visited websites containing illegal content.

In order to make the threat go away and to have their computers unlocked, the users are urged to pay a $100 “fine” via a pre-pay electronic payment method such as MoneyPack or Paysafecard.

The ransomware helps hide the fact that the Citadel malware has also been installed and is waiting to slurp online banking and credit card information from the users via a number of techniques.

“This is another example of financial malware expanding beyond online banking fraud and being used as a launch pad for other types of cyber-attacks. Citadel is able to target employees to steal enterprise credentials, and in this example targets victims directly to steal money from them, instead of their financial institution,” Klein concludes.

Don't miss