Latest Citadel trick allows RDP access after malware's removal

Share this article:
Police, security firms abate Shylock malware threat
Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Attackers have updated Citadel with a new “trick” that gives them device access even after the banking malware has been detected and removed by administrators, a security firm found.

According to Trusteer, an IBM company, the access is maintained through native Windows remote desktop protocol (RDP) capabilities, a Tuesday blog post by the firm said.

Etay Maor, prevention solutions manager at Trusteer, explained in the post that Citadel has offered fraudsters virtual network connection (VNC) capabilities since it emerged – a feature allowing access similar to RDP. Citadel's new configuration, however, allows fraudsters a heightened level of persistence, giving hackers RDP access, even if the malware and its VNC capabilities are removed, Maor wrote.

Once a device is infected with Citadel, malware operators run Windows shell commands, which allow them to add a new user to the system's local administrator group. Once they've accomplished this feat, attackers then go one to add a new user to the local RDP group, and set the password to “never expire,” Maor continued.

“Now, even if the Citadel malware is detected and removed, the attacker still has access to the infected machine through the native Windows RDP capabilities,” his blog post said. “The attacker has set up a backup back door into the infected device.”

These exploits could go unnoticed since the use of Windows-native RDP capabilities may be assumed legitimate by enterprises (the protocol is often used for technical support, for instance), he explained.

In a Thursday interview with, Maor said that the updated malware had targeted Australia and a small number of countries in Asia. Trusteer discovered the new Citadel “trick” this month, Maor added.

“The security team is still watching to see if it propagates,” Maor said. He later explained that the updated threat may be limited in its impact, for now, as attackers used hardcoded shell commands – meaning each command tags the same username (coresystem) and password (Lol117755C) to the created administrator group.

“I think its [use] may be limited, because the shell commands are hardcoded; they don't change. Every command will add the same password to the same group, which is not very scalable,” Maor said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.