New Citadel trojan costs more, but allows for easier updates


Code writers behind the latest Citadel trojan, dubbed the "Rain Edition," have added advanced features and significantly boosted the price tag of the malware.

The new iteration includes a feature, called "Dynamic Config," which allows botmasters easier access to compromised victims' machines by updating the malware's configuration file immediately. Configuration files are used by owners of command-and-control servers to communicate malicious instructions to hacked PCs under their control.

The first version of Citadel, a variant of banking trojan Zeus, entered the black market in January at cost of $2,399, but now commands a fee that is 41 percent higher – $3,391 for the latest, or sixth, Citadel release.  

Limor Kessem, technical lead and fraud expert at RSA, told on Thrusday that the “dynamic config” feature exemplifies just how advanced Citadel programmers are. RSA published a blog post Thursday divulging the details of the latest software released by the malware's authors.

“They are able to implement changes that come directly from the command-and-control server in real time,” Kessem said of the newest feature. “They are cutting out time and the need [for developers] to change the whole configuration file. They can correspond immediately with a victim who is sitting in front of a screen. It's really a breakthrough. We've never seen them do that.”

Citadel, along with other banking trojans, usually infects users through spam or drive-by download campaigns launched by saboteurs. Banking malware often aims to steal account login credentials to transfer money to attackers, either in the background or by hijacking victims' computers.

One of the more pervasive trojans, Citadel was also used in August to hack into the virtual private network (VPN) of an unidentified international airport. In that incident, discovered by security firm Trusteer, Citadel was able to crack the VPN's two-factor authentication controls, and used a combination of form-grabbing and screen-capturing technologies to log into airport employees' accounts.

The malware, in conjunction with Reveton "ransomware," also has been used in a child pornography ruse used to extort money from victims, complete with fake alerts from the U.S. Department of Justice.

The Citadel trojan also has been linked with a botnet called Sopelka, which appeared in May and was shut down last month, according to S21sec, a security firm headquartered in Spain.

The firm published a Wednesday blog post, which revealed that Citadel, along with two other banking trojans, called Tatanga and Feodo, were being used to gather banking credentials from infected computers, primarily in Spain and Germany.

“During the botnet's lifetime there were at least five campaigns and it's likely that more were carried out,” said the blog post. “Of the five known campaigns, three of them installed variants of Citadel, versions and, another Feodo, and Tatanga was the chosen trojan in the other [campaign].”

Kessem said that to evade detection while continuing their scams, Citadel botmasters often start new malware campaigns almost as quickly as they are shut down.

“These botnets are up and down all the time,” Kessem said. “Sometimes, law enforcement will try to shut down a botnet, but [attackers] may start a new botnet and infection campaign, so they can't be found.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.