Citadel alive and kicking, and evolving from banking to APT

It is thought that when the author of Citadel, known as Aquabox, chose to pursue a lower profile last year, he also reined in on the support he provided to new customers. This led to a dispute with one botnet operator, which led to Aquabox’s dismissal from a major malware trading forum. This in turn led to a general belief that Citadel would decline in use. While this may well happen, says McAfee, it is also warning that Citadel currently “remains a very active threat and continues to target victims in several countries.”

Citadel is a variant of the Zeus banking trojan, but always had the potential to surpass Zeus in criminal popularity. This hasn’t happened, possibly because of its withdrawal from the open malware market. It is now sold only by referral. While McAfee has found 300 active samples of Citadel, primarily in Europe, “Zeus Gameover has a large number of victims across the globe, in the tens of thousands.”

Citadel also tends to be now more targeted, and less ‘banking’ focused – in one isolated case a variant was found targeting just a handful of victims solely in Madrid. This is a new development. “Citadel was originally developed and marketed as a banking Trojan and that remains its primary use today,” says McAfee. However, “We have seen a recent shift in Citadel activity that leads us to believe that some groups are using Citadel for reasons different than its original purposes.”

In two particular campaigns “that targeted Denmark, Sweden, and Poland, Citadel was used for purposes other than just financial crime (although that also occurred). The targets involved in these campaigns consist of numerous commercial and government entities.” It would seem that the ‘Poetry Group’ is behind these particular targeted attacks. McAfee suspects that the Poetry Group is of English origin because a tendency to embed references to English poetry and kings. Government offices in Poland were a particular target.

However, in an appendix to its report, McAfee notes a more recent campaign by the Poetry Group targeting Japan. “With this attack,” notes McAfee, “it is clear that the Poetry Group intends to selectively target government agencies around the world using Citadel. From our analysis of telemetry data gathered from the field from January 13 through January 22, we were able to identify 16 government offices involved in this attack.”

McAfee believes that the nature of Citadel’s use is changing, and while it may now never be as ‘popular’ as Zeus, it expects that “its targets will shift as more cybercriminals realize the benefits of Citadel go beyond financial fraud. There is a significant amount of recent activity – as late as January 13, 2013 – to suggest that private customers will continue to use Citadel to attack businesses and government organizations.”

What’s Hot on Infosecurity Magazine?