“Through investigation and collaboration between our researchers and engineers, we discovered a malicious online banking Trojan campaign,” Trend Micro researchers noted in the company blog. “We’ve reported about such incidents in the past, including in our Q1 security roundup – and we believe this latest discovery shows that those previous attacks have been expanded and are a part of this particular campaign.”
The firm has identified at least nine IP addresses serving as its command-and-control (C&C) servers, and most of them have been found to be hosted in the US and Europe. Yet, only financial and banking organizations native to Japan seem to be targeted in this attack.
“Monitoring these servers, we also discovered that 96% of the connections to these servers are coming from Japan – further proof that the most of the banking trojan infections are coming from that one specific country,” the researchers noted.
After enhancing the monitoring of the C&C servers related to the campaign, the security firm found that during a six-day period no less than 20,000 unique IP addresses were connecting to these servers, with only a very minimal decrease from beginning to end. That of course indicates a widespread botnet infection is likely underway.
“This means that there is still a large number of infected systems still stealing online banking credentials and sending them to the cybercriminals responsible,” Trend Micro said.
Citadel is spyware that uses a keylogger to obtain sensitive information such as bank account details before sending the data back to the C&C servers. It is believed that data stolen by Citadel has been used to steal $500 million from bank accounts around the world, and that some five million people have been affected. Citadel infections are primarily concentrated in the US, Europe, Hong Kong, Singapore, India, and Australia, although it is believed that there are victims in more than 90 countries.
Microsoft has been investigating both the malware and the criminal infrastructure since early 2012. In June, working with the FBI and the financial services industry, Microsoft obtained a court order allowing it to cut communications between 1462 Citadel botnets and the millions of infected PCs around the world.
The investigation was codenamed Operation b54 and was, according to Richard Boscovich, assistant general counsel at the Microsoft Digital Crimes Unit, “our most aggressive botnet operation to date.” It marks “the first time that law enforcement and the private sector have worked together in this way to execute a civil seizure warrant as part of a botnet disruption operation.”
Citadel looks to be building new practices, but outside of the US. The banks and financial institutions targeted in the Japanese campaign have already released advisories to their customers and partners regarding the attack itself. As always, users should heed any warnings before logging into their online banking accounts.