Incident Response, Malware, TDR

Citadel used in APT attacks against petrochemical firms


A security firm revealed that Citadel, financial malware known as a sophisticated cousin of Zeus, has been used to target several firms outside the financial sector via advanced persistent threat (APT) attacks.

IBM Trusteer detected the campaign, which was launched to infect petrochemical firms in the Middle East.

In a Monday blog post, Dana Tamir, director of enterprise research at the company, detailed why Citadel's malicious capabilities would be appealing for APT actors. Discovered in 2012, Citadel was designed to purloin victims' banking credentials using web injects, but as the malware evolved, its information-stealing capabilities have grown to encompass feats allowing longer term access, Tamir wrote.

“While the use of advanced malware that was originally built for financial theft as a generic advanced persistent threat (APT) tool is not new, this is the first time we've seen Citadel used to target nonfinancial organizations in a targeted/APT-style attack in order to potentially access corporate data, steal intellectual property or gain access to secured corporate resources, such as mail systems or remote access sites,” Tamir said in the blog post.

In the attacks on petrochemical plants, Citadel was instructed to search for user access to specific systems, like webmail, so that attackers could leverage the malware's form grabbing capabilities, IBM Trusteer revealed. In a configuration file analyzed by reseachers, attackers listed the names of all of the targeted firms, Tamir said.

Citadel was also instructed to look for employee login credential as victims signed into webmail, she continued.

In a Wednesday interview with, Tamir said that IBM Trusteer could not confirm how the malware was delivered, but that, in instances where financial malware is used for APT purposes, mass distribution methods would work just fine for attackers.

“Massively distributed malware is not custom and, therefore, does not require custom delivery methods. Malvertising or phishing campaigns [can be used] to hit as many points as possible,” she said.

In the blog post, she added that other tactics, such as drive-by download and watering hole attacks, could be used to deliver Citadel for APT purposes, in order to “infect millions of PCs around the world.”

In early 2013, McAfee also shed light on this trend – hackers using data-stealing trojans, such as Citadel, to mine information from government agencies, manufacturing firms and other industries that provide critical support to the economy.

In its threat report analyzing Q4 2012, McAfee found that the prevalence of password-stealing trojans grew 72 percent over the previous quarter, a practice that was highlighted by the Poetry Group, which used Citadel to target government offices throughout the globe.

Of the growing trend, Tamir added that some attackers possessing financial trojans have shifted their aims from theft on an individual scale, to attacks targeting sensitive enterprise data.

“[Such] malware was targeting personal data to steal money,” Tamir said. “Now, the new malware is no longer interested in the individual, but the organization.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.