New Citadel trojan costs more, but allows for easier updates

One of the more pervasive trojans, Citadel was also used in August to hack into the virtual private network (VPN) of an unidentified international airport. In that incident, discovered by security firm Trusteer, Citadel was able to crack the VPN's two-factor authentication controls, and used a combination of form-grabbing and screen-capturing technologies to log into airport employees' accounts.

The malware, in conjunction with Reveton "ransomware," also has been used in a child pornography ruse used to extort money from victims, complete with fake alerts from the U.S. Department of Justice.

The Citadel trojan also has been linked with a botnet called Sopelka, which appeared in May and was shut down last month, according to S21sec, a security firm headquartered in Spain.

The firm published a Wednesday blog post, which revealed that Citadel, along with two other banking trojans, called Tatanga and Feodo, were being used to gather banking credentials from infected computers, primarily in Spain and Germany.

“During the botnet's lifetime there were at least five campaigns and it's likely that more were carried out,” said the blog post. “Of the five known campaigns, three of them installed variants of Citadel, versions 1.3.4.0 and 1.3.4.5, another Feodo, and Tatanga was the chosen trojan in the other [campaign].”

Kessem said that to evade detection while continuing their scams, Citadel botmasters often start new malware campaigns almost as quickly as they are shut down.

“These botnets are up and down all the time,” Kessem said. “Sometimes, law enforcement will try to shut down a botnet, but [attackers] may start a new botnet and infection campaign, so they can't be found.”