As evidence that malware is using old-school techniques to overcome security solutions, a recent variant of the Citadel banking Trojan demonstrates how attackers, who are likely using Citadel to target enterprises, are using a simple yet effective trick to maintain persistency.
The use of remote desktop (RDP) and virtual network connection (VNC) protocols to take over devices is widely used by information technology support teams. When users have issues, they can call technical support, and a support engineer can take over the device to solve the problem. Malware authors have added this functionality to their malware to allow the attacker to take over a victim’s device. Attackers who target high-net-worth accounts cannot rely on automated scripts for their attacks since an attack attempting to steal a six- or seven-digit amount has to be carefully and manually conducted, according to Trusteer/IBM.
Citadel, a malware based on Zeus, has offered VNC capabilities since its first version. At the same time, Citadel offers the attacker the ability to run Windows shell commands. These commands are handy if the attacker wants to get a clearer picture of the network in which the infected PC resides, scan it and prepare the grounds for something more than just fraud.
“This type of network mapping is one of the first steps attackers take in targeted enterprise attacks,” the researcher noted. “They gather intelligence, get a clear picture of the target and then strike.”
But Citadel is faced with a problem: If the malware is detected and removed by the victim, the VNC capabilities are lost with it.
While malware modules such as VNC and communications may be more vulnerable to interception and analysis by security software, a new variant of Citadel establishes a way to use Windows-native RDP capabilities in case something goes wrong with VNC. That way, it may fly under the radar, as some companies actually use this exact same protocol for technical support.
“Citadel operators are clearly investing in their attack’s survivability as well as using the malware’s features to target companies, and not even for its original target: financial fraud,” Trusteer researcher Etay Maor said in a blog post detailing the new capabilities.
After the device is infected, the ability to run Windows shell commands is used for more than just reconnaissance. For instance, it allows the attacker to take over an authenticated session and use HTML injection to ask the victim for additional information (such as one-time passwords) in real time.
The attacker also sets up a backup back door into the infected device. Now, even if the Citadel malware is detected and removed, the attacker still has access to the infected machine through the native Windows RDP capabilities.
It gives an illusion of safety for users: A user who was vigilant enough to detect and remove Citadel will now feel safe to use his or her device, thinking it is clean when it isn’t.
It’s becoming a more common gambit as well. “Most advanced types of malware have this ability today, including SpyEye’s use of Remote Desktop Protocol (RDP),” Maor said.