A good indication that the use of password managers has become a thing is the fact that cyber crooks are now trying to slurp up users’ master password for a number of these and additional authentication solutions.
According to IBM Trusteer researchers, the newest Citadel variants have been instructed to start capturing user keystrokes when the user starts open-source password management solutions Password Safe or KeePass, or the neXus Personal Security Client, an authentication solution for securely effecting financial or e-commerce transactions.
The researchers found this new Citadel configuration file on a user machine protected by company solution, but it’s impossible to tell if the machine belongs to a private user, an enterprise employee or a contractor.
“The machine was already infected by Citadel when IBM Trusteer Apex was installed on it. Therefore, it is unknown exactly how it became infected,” noted Dana Tamir, Director of Enterprise Security at IBM Trusteer.
“An analysis of the configuration file shows that the attackers were using a legitimate Web server as the C&C. However, by the time the IBM Trusteer research lab received the configuration file, the C&C files were already removed from the server, so researchers were not able to identify who is behind this configuration.”
It could be a simple opportunistic attack, but it’s also possible that it’s a more targeted one. Citadel began its existence as generic financial information-stealing malware, but has recently been turned into an APT tool.
“Since millions of machines are already infected with Citadel, it is easy for attackers to take advantage of this malware in new cyberschemes. All attackers need to do is provide a new configuration file to the millions of existing instances and wait for infected machines to access the targets,” Tamir pointed out.
The Citadel Trojan is capable of bypassing most threat detection security systems and laying low until it is instructed spring into action.
Using password managers and authentication software is always a good idea, but users must be aware that they also need to keep their computers free of malware that can compromise the master password and, consequently, all other passwords stored in the software.
Frankly, I am surprised that it took cyber criminals so long to concentrate on these targets.