Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

High-end Citadel financial malware overtakes Zeus as king

After the source code of Zeus went public in 2011, it was only a matter of time before variations and improvements started appearing. And now, according to Korean security vendor AhnLab, Citadel has emerged as the “most dominating malware, with enhanced malicious functions.”

The company found in its analysis that Citadel has many things in common with Zeus. It creates and manages a botnet, and is designed to collect personal information from infected PCs, including online banking information, web browser credentials and SNS account data. As if that weren’t enough, it adds little extras (gold rims, if you will), like the ability to deliver ransomware and scareware in attempts to extort money directly from victims.

However, in terms of info-stealing, Citadel far surpasses Zeus – making the latter look more like a sensible sedan than a flashy criminal hotrod.

“Both malwares collect and leak basic information of [the] infected PC, including OS information, data of [the] web browser in use, system time and user admin name before they steal banking credential[s],” AhnLab noted in an analysis. “Citadel, in addition to the basic information, leaks more comprehensive information of infected PCs, including domain information of local network, the list of database servers, network configuration information and homepage setting information. With this information gathered, the attacker can design more targeted threats.”

A new version of Citadel, custom-made for financial crime, was first uncovered in early November, found to be available only in underground Russian crimeware forums, and available at a steep price: $3,000. Researchers noted that the kit is impressively effective. So effective, in fact, that it is now rising to the top of the heap despite its lack of accessibility.

AhnLab noted that one reason for its rapid adoption is the fact that it is provided in a Software-as-a-Service (SaaS) model. “It has its own store, and customers can manage the malware from creation to maintenance,” the company said. “The store offers the Citadel builder, botnets [paid on a] monthly basis, update service, a test to avoiding Antivirus measures and many other features. It indicates a recent trend of the cybercrime ecosystem.”

Indeed, “hacking-as-a-service” is on the rise, particularly when it comes to botnet-based malware attacks, and Russia appears to be at the fore of pushing financial cybercrime forward.

To protect against data theft enabled by such sophisticated malware approaches, AhnLab recommends a four-pronged defense that includes a dedicated security browser that creates a protected environment for online transactions, anti-keylogger protection, firewalls and anti-virus software.