Incident Response, Malware, TDR

Citadel variant targets master passwords, authentication solutions

Data-stealing malware called Citadel, which was once exclusively used for targeting online banking credentials, continues to evolve and be repurposed for an array of malicious purposes.

In September, researchers at IBM Trusteer noted that the malware had been tweaked to target petrochemical firms through advanced persistent threat (APT) attacks, and now the firm has found a new malware variant being used to compromise password management and authentication solutions.

In a Wednesday blog post, Dana Tamir, director of enterprise at IBM Trusteer, explained that the Citadel strain recieves command-and-control instructions to capture users' keystrokes (via keylogging capabilities) when certain processes run on their computer.

The targeted processes – Personal.exe, PWsafe.exe, KeePass.exe – all indicate that password management software or an authentication solution is running on a victim's machine, Tamir explained. Specifically, free, open-source software, called “Password Safe” and “KeePass,” were marked by attackers, as well as “neXus Personal Security Client,” an authentication solution that “enables users to conduct secure financial transactions, e-commerce and other security-dependent services directly from the desktop,” Tamir wrote.

In an interview with, Tamir added that it's unclear what the ultimate goal of the malware variant is, as a number of things could be done with the stolen master passwords and credentials for authentication solutions.

“It may have been an attack to grab as many credentials as possible and sell them on the black market,” Tamir said. Or, she postulated, as a way for attackers to pivot their way into e-commerce or corporate systems.

“Typically, people that use these [password or authentication] solutions tend to be technical people. They have unique, complex passwords that are difficult to remember, and that's why they need these types of solutions,” she said.

“This is just a growing trend. We saw it in the past and we are seeing it again. It's very similar to the Dyre attack that stole passwords that were used for logging into,” Tamir later noted.

In September, customer relationship management software provider Salesforce notified its users that it had identified Dyre malware, also known as Dyreza, targeting it users. Tomer Weingarten, CEO of SentinelOne suggested at the time that Dyre, initially crafted to steal banking credentials, may have been aimed at Salesforce users to enable theft of databases.

In her blog post, Tamir said it was important to remember that password management and authentication software "can be compromised by malware" and allow an attacker to do that very thing: "steal the master password and gain access to the user/password database of a password management solution."

Keeping this in mind, access to sensitive systems should be done from malware-free machines, she wrote. “This requires advanced malware protection that is specifically designed to handle highly sophisticated and evasive malware such as Citadel and other massively distributed advanced persistent threat malwares.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.