Citadel Trojan used in unusual targeted attacks

The Zeus/Zbot banking malware and its variants and derivates (such as the Citadel Trojan) have, until now, been used for stealing banking credentials from random users. But McAfee researchers have spotted a group of cybercrooks that use the Citadel Trojan in targeted attacks aimed at specific individuals in organizations in Europe and Japan.

Citadel’s creator, who goes by the handle of “Aquabox”, has recently been banned from one of the most popular underground forums for selling malware, but that was apparently not the end for Citadel.

McAfee’s research unveiled that some cyber criminal groups have had the innovative idea of using Citadel in ways other than what it was originally intended for.

The Citadel Trojan is currently most prevalent in European countries, and the number of infections is rather small – around 1,000. The researchers estimate that some 300 different samples of the Trojan are currently active in the wild, and they can mostly be found on computers within commercial entities or government organizations.

“Variants of Citadel have struck victims in a single country and, in some cases, a single city,” they shared in a white paper.

“We observed a Spanish campaign that used a single variant of Citadel to target the city of Madrid. The malware was distributed to fewer than a dozen victims. No prior or later samples were related to this campaign, and we consider this incident isolated. The targets were selected for reasons unknown. This case helps us see that Citadel is being used for interests other than financial crime.”

Another indication that Citadel is being used for purposes other than financial fraud is that some campaigns involving government targets lack a malware configuration file containing banking targets.

“Citadel has features that extend beyond targeting customers of financial institutions. The malware can collect anything from a victim’s PC. Citadel Version 1.3.45, the ‘Extreme Edition,’ contains functionality allowing a simplified virtual network computing (remote control) connection to the victim. In other words the Trojan will establish (automatically if need be) from the control panel a hidden channel of communication with the victim’s PC,” they explained.

In the dozen of campaigns spotted since last October, Citadel seems to be used for harvesting credentials from internal applications, banking system applications, manufacturing systems, and so on, as well as for exfiltrating other data.

The attacks have, for now, been concentrated on government offices in Poland, Japanese prefectures, and commercial entities in Denmark and Sweden.

McAfee researchers believe that they have all been perpetrated by a group they dubbed the “Poetry Group” on account of the poetic text they include in the malicious binaries. The verses are by Shakespeare, and often allude to the targets, making the researchers speculate that the attackers might be of English origin.

Apart from this, the various analyzed campaigns have other things in common: common URL paths for drop zones, unique strings that appear in the malicious process memory, and the targets (government entities in Nordic countries). Control servers for the campaigns are mostly hosted in the United States.

“After an analysis of 300 unique Citadel Trojan samples, we conclude that the poetry strings are not caused by a common tool nor or they included in Citadel by default; they are the work of the Poetry Group. We suspect that Poetry Group may be a byproduct of a for-hire data-gathering operation for a private clientele; and their tool of choice is Citadel,” concluded Ryan Sherstobitoff, threats researcher with McAfee Labs and author of the white paper.