Latest Citadel trick allows RDP access after malware's removal

Share this article:
Police, security firms abate Shylock malware threat
Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Attackers have updated Citadel with a new “trick” that gives them device access even after the banking malware has been detected and removed by administrators, a security firm found.

According to Trusteer, an IBM company, the access is maintained through native Windows remote desktop protocol (RDP) capabilities, a Tuesday blog post by the firm said.

Etay Maor, prevention solutions manager at Trusteer, explained in the post that Citadel has offered fraudsters virtual network connection (VNC) capabilities since it emerged – a feature allowing access similar to RDP. Citadel's new configuration, however, allows fraudsters a heightened level of persistence, giving hackers RDP access, even if the malware and its VNC capabilities are removed, Maor wrote.

Once a device is infected with Citadel, malware operators run Windows shell commands, which allow them to add a new user to the system's local administrator group. Once they've accomplished this feat, attackers then go one to add a new user to the local RDP group, and set the password to “never expire,” Maor continued.

“Now, even if the Citadel malware is detected and removed, the attacker still has access to the infected machine through the native Windows RDP capabilities,” his blog post said. “The attacker has set up a backup back door into the infected device.”

These exploits could go unnoticed since the use of Windows-native RDP capabilities may be assumed legitimate by enterprises (the protocol is often used for technical support, for instance), he explained.

In a Thursday interview with SCMagazine.com, Maor said that the updated malware had targeted Australia and a small number of countries in Asia. Trusteer discovered the new Citadel “trick” this month, Maor added.

“The security team is still watching to see if it propagates,” Maor said. He later explained that the updated threat may be limited in its impact, for now, as attackers used hardcoded shell commands – meaning each command tags the same username (coresystem) and password (Lol117755C) to the created administrator group.

“I think its [use] may be limited, because the shell commands are hardcoded; they don't change. Every command will add the same password to the same group, which is not very scalable,” Maor said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

TorrentLocker developers patch error

Victims had been able to restore encrypted files without paying a ransom.

Home Depot: breach risks 56M payment cards, 'unique' malware used

Home Depot confirmed that approximately 56 million payment cards may have been compromised as result of a malware attack.

Gartner: 75 percent of mobile apps will fail security tests through end of 2015

Gartner: 75 percent of mobile apps will fail ...

As BYOD and mobile computing become more critical to business, app downloads will raise security risks.