Incident Response, Malware, TDR

Latest Citadel trick allows RDP access after malware’s removal

Attackers have updated Citadel with a new “trick” that gives them device access even after the banking malware has been detected and removed by administrators, a security firm found.

According to Trusteer, an IBM company, the access is maintained through native Windows remote desktop protocol (RDP) capabilities, a Tuesday blog post by the firm said.

Etay Maor, prevention solutions manager at Trusteer, explained in the post that Citadel has offered fraudsters virtual network connection (VNC) capabilities since it emerged – a feature allowing access similar to RDP. Citadel's new configuration, however, allows fraudsters a heightened level of persistence, giving hackers RDP access, even if the malware and its VNC capabilities are removed, Maor wrote.

Once a device is infected with Citadel, malware operators run Windows shell commands, which allow them to add a new user to the system's local administrator group. Once they've accomplished this feat, attackers then go one to add a new user to the local RDP group, and set the password to “never expire,” Maor continued.

“Now, even if the Citadel malware is detected and removed, the attacker still has access to the infected machine through the native Windows RDP capabilities,” his blog post said. “The attacker has set up a backup back door into the infected device.”

These exploits could go unnoticed since the use of Windows-native RDP capabilities may be assumed legitimate by enterprises (the protocol is often used for technical support, for instance), he explained.

In a Thursday interview with SCMagazine.com, Maor said that the updated malware had targeted Australia and a small number of countries in Asia. Trusteer discovered the new Citadel “trick” this month, Maor added.

“The security team is still watching to see if it propagates,” Maor said. He later explained that the updated threat may be limited in its impact, for now, as attackers used hardcoded shell commands – meaning each command tags the same username (coresystem) and password (Lol117755C) to the created administrator group.

“I think its [use] may be limited, because the shell commands are hardcoded; they don't change. Every command will add the same password to the same group, which is not very scalable,” Maor said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.