The malevolent Citadel financial banking trojan is being repurposed to target Middle Eastern petrochemical companies from a base of massively distributed botnets.
Citadel was originally created for the purpose of stealing money from banks; but according to IBM Trusteer, a new campaign shows attackers using a variant of the evasive Citadel malware to, instead, act as a generic advanced persistent threat (APT) against the energy sector in the Middle East, to potentially access corporate data, steal intellectual property or gain access to secured corporate resources, such as mail systems or remote access sites.
According to IBM Trusteer, the targets of this attack include one of the largest sellers of petrochemical products in the Middle East and a regional supplier of raw petrochemical materials. We have worked to responsibly disclose this information to appropriate parties.
The Citadel malware was first discovered in 2012. Back then, it was a 'man-in-the-browser' malware designed to steal banking credentials using web injects. Since then, malware developers have significantly extended its functionality.
Today, it offers a wide range of powerful functions to steal information and remotely manage infected computers. The malware operates according to instructions provided in a configuration file. Once Citadel is installed on a machine, it fetches a configuration file from one of its command-and-control servers. The configuration file instructs Citadel on which websites and applications to target, which information to steal, and how to steal it.
“This is not the first time massively distributed malware originally designed for financial fraud has been used to target nonfinancial organizations in an APT-style attack,” said Dana Tamir, director of enterprise security at IBM Trusteer, in an analysis. “In fact, we wrote an article on this back in 2010. Citadel is one of many dozens of malware families that were initially created to steal money from financial targets, such as banks. These include the infamous Zeus, SpyEye and Shylock families. Over time, malware developers extended the capabilities of these malware families and added advanced evasion techniques to turn them into sophisticated APT tools that can target organizations in general.”
The typical functions available with these malware families include keylogging, screenshot capturing, recording of browser session, video capturing, HTML injection and remote control of the infected machine.
“The use of massively distributed malware means that attackers don’t need to spear-phish targets or design custom malware,” Tamir explained. “Instead, they use mass distribution techniques to infect as many PCs as possible. These malware distribution campaigns can use malicious email attachments, drive-by downloads, watering hole attacks and social engineering schemes to infect millions of PCs around the world.”
Earlier in the year, McAfee warned that Citadel was a disturbingly widespread presence. Despite its creator actively deciding to take a lower-profile role last year, it “remains a very active threat and continues to target victims in several countries,” the firm said.
Citadel is a variant of the Zeus banking trojan, which was targeted by Microsoft and the FBI over the summer in a a joint takedown operation that "cut communications between 1462 Citadel botnets and the millions of infected PCs around the world." This too was hoped to be a major disruption, although Microsoft's assistant general counsel at its Digital Crimes Unit, Richard Boskovich, said at the time, "due to Citadel’s size and complexity, we do not expect to fully take out all of the botnets in the world using the Citadel malware."
This is not the first example of Citadel shifting to become more targeted, and less ‘banking’ focused – in one isolated case a variant was found targeting just a handful of victims solely in Madrid. This is a new development. “Citadel was originally developed and marketed as a banking Trojan and that remains its primary use today,” McAfee said. However, “We have seen a recent shift in Citadel activity that leads us to believe that some groups are using Citadel for reasons different than its original purposes.”
In two particular campaigns “that targeted Denmark, Sweden, and Poland, Citadel was used for purposes other than just financial crime (although that also occurred). The targets involved in these campaigns consist of numerous commercial and government entities.”
IBM Trusteer research found that an average of 1 in 500 machines worldwide is infected with massively distributed APT malware at any point in time.