A variant of the notorious Citadel malware, dubbed Atmos by its discoverers at Malwarebytes, is targeting financial institutions in France, six months after Citadel’s author was imprisoned.
The banking trojan, also detected carrying ransomware, has its C&C servers based in Vietnam, Canada, Ukraine, Russia, the U.S. and Turkey. Already nearly 1,000 bots have been drafted into service and the total is sure to grow, wrote Heimdal Security’s Andra Zaharia, in a blog post.
Detection of Atmos is made more difficult as TeslaCrypt, embedded in the code, provides impenetrable encryption.
Originally based on ZeuS code when it first appeared in 2011, the Citadel banking trojan was soon a bestseller on underground markets eventually infecting more than 11 million computers around the world with scareware and ransomware. The trojan was capable of siphoning off credentials and accessing internal apps and management systems to steal money and personal data.