The Citadel Trojan has a new target – password managers holding the passwords that keep important management products safe. IBM Trusteer researchers have announced that they have informed the creators or nexus Personal Security Client, KeePass and Password Safe about a configuration file they have detected on a compromised PC targeting processes used by the corresponding password managers.
An IBM Trusteer expert explains that the file “instructs the malware to start keylogging” as certain processes are running. The new Citadel configuration files call out:
- Personal.exe process in nexus Personal Security Client
- PWsafe.exe from Password Safe
- KeePass.exe from Password Safe
In these cases, the malware searches for the master password to unlock the password database kept by the password management tool.
→“neXus Personal Security Client is the cryptographic middleware – the interlinking piece of software – that makes the cryptographic functions (signing and decrypting) of smart media available to PC and online applications. neXus Personal Security Client provides all common cryptographic APIs, enabling it to seamlessly integrate with common applications with embedded security functions: domain login, email signature and encryption, document signing, VPN access, file encryption, user registration via XEnroll/CertEnroll, browser SSL and WebServices security etc.
Furthermore, neXus Personal Security Client includes a number of browser plug-in modules, which make for easy use of the smart media functions in web applications. In this way, neXus Personal allows users to conduct secure financial transactions, e-commerce and other security-dependent services directly from the desktop. PIN, PUK and certificate management is supported via a pre-installed and easy-to-use GUI and online processes.”
Dana Tamir with IBM Trusteer reported that the analyzing process of the configuration file revealed that the C&C the hackers used was a legit Web server. But at the time of the research the C&C files were already removed, so the research team did not have the chance to identify the authors behind the configuration, or whether the attacks were targeted or opportunistic.
Like other popular malware families, Citadel also makes a leap towards APT targeted attacks. What makes the malware extremely dangerous besides the fact that Citadel is already spread to a large network of infected computers, are the new added features and the demand for legitimate credentials.
A version of Citadel was responsible for the attacks against petrochemical companies in September. Then, the used Citadel variants were targeting email credentials so the hackers could gain access to a compromised network.
Citadel Malware Already Has Infected Millions of Computers
According to Tamir’s estimation one in five hundred PCs is infected with malicious software that is used in targeted APT attacks.
Millions of computers are already Citadel-infected. This allows hackers to exploit the malware in new campaigns. According to Tamir, all the cyber criminals need to do is “provide a new configuration file to the millions of existing instances and wait for infected machines to access the targets.”
The Citadel malware can be latent on an infected machine for a long period until the user browses a particular online banking website or a web-based login – depends on the way the malware has been configured. Most people have no idea their computers are infected, and that can be turned against them quite easily.