- A Brief Look at the Citadel Banking Trojan:
- The banking trojan, citadel was initially discovered in 2012. Citadel is based on Zeus trojan’s source code. Such type of trojan is designed to steal sensitive information including financial information and passwords.
- Citadel is known for its targeted attacks on public and private organizations with, also stealing of credentials of various information management systems, money, and infect systems with a range of malware. In fact, this is one of the first of its own kind of trojan to offer malware-as-a-service on the dark web.
- It is a toolkit for distributing malware and managing botnets, which makes it super easy to produce ransomware and infect systems one after another with pay-per-install programs. Citadel was specially designed to steal personal information specially including banking and financial information from its victims.
- The Citadel Trojan, based on the Zeus source code, constructs a botnet consisting of a considerable number of infected computers. The attacker can execute malicious code on an infected computer, including ransomware and scareware.
- How does it work?
- Citadel is installed on a victim’s computer with a drive-by-download attack which is most often done using the Blackhole exploit kit. The Blackhole exploit kit is a cloud-based pay-for-service malware or malware as a service (MaaS) platform that installs web browser exploits on unsecured web servers for installing malware on victims’ computers.
- When a user visits an infected website, Blackhole exploits a vulnerability in the user’s web browser to install Citadel.
- Citadel could hijack control of users’ Windows PCs and even attempt to grab the master passwords of some third-party password managers, and block access to anti-virus vendor websites.
- It can also be used in targeted attacks, exploiting Microsoft vulnerabilities to infect firms, as well as more traditional attacks.
- What is so special about Citadel malware?
- The author of Citadel Trojan, Mark Vartanyan, who went by the online handle of ‘’Kolypto”, was arrested in the Norwegian town of Fredrikstad in 2015 at the request of the FBI.
- Vartanyan admitted his guilt as a plea bargain with US federal prosecutors who have agreed not to seek a prison sentence of more than ten years.
- Citadel’s capabilities:
- Using the man-in-the-browser (MiTB) technique, that involves injecting HTML or JavaScript into a web page, this trojan harvests sensitive information.
- MiTB allows hackers to add extra fields to the web page such as PIN number or other sensitive fields.
- Users assume that they are entering details on a legitimate site, but fall victim to credential theft by this trojan.
- The malware also boasts of keylogging capabilities that can compromise password and authentication systems.
- In certain attacks, infected systems were observed to be turned to bots in a botnet.
- A ransomware called Reveton was also used in certain attacks, impersonating an FBI imposed lockdown and demanding for a ransom amount.
- Attacks in the spotlight:
- Citadel and its variants are said to have infected millions of computers and cause a massive amount of financial losses.
- January 2014: It was reported that the infamous Target breach of 2013 involved the Citadel trojan. A Target contractor fell victim to a phishing attack that installed the malware.
- February 2013: Here NBC’s website was hacked and redirected to the Citadel banking Trojan during the attack. The site was said to host an iframe that led visitors to sites hosted by the RedKit Exploit Kit which served the malware.
- September 2014: A different variant of Citadel trojan was used in several attacks that were carried out against several petrochemical companies in the middle east. This was probably the first time Citadel was used in attacks against nonfinancial entities in targeted attacks.
- April 2016: A new a Citadel variant called Atmos, was discovered. Some of the researchers observed that it had the same motives as the Citadel trojan.
- How to prevent Citadel from infecting my PC?
- To prevent Citadel from infecting your PC, try to avoid visiting unsafe websites, especially banking websites. Your PC can also get infected due to exploits in different browsers.
- Therefore, to avoid all of this, you need to install an antivirus solution as the basic protection for your PC with an antimalware solution as the necessary additional layer of protection. Make sure to keep them both updated.
- How to remove Citadel from a PC?
- One of the solutions to detect or protect yourself from Citadel, is to download Zemana AntiLogger for free (it comes with 15-days free trial). It can detect all types of malware on PC and remove it.
- To remove Citadel, download Zemana AntiLogger, that will provide with necessary Secure SSL and Keystroke Logging Protection. It is crucial to note that Zemana AntiLogger is compatible with many other antivirus softwares on a PC that runs alongside it without any conflicts.
- How a Citadel Trojan Developer Got Busted
- The U.S. District Court judge in Atlanta prisoned Mark Vartanyan for five-years. He was a Russian hacker who helped develop and sell the once infamous and widespread Citadel banking trojan.
- For several years, Citadel ruled the malware scene for criminals engaged in stealing online banking passwords and emptying bank accounts. Some of the U.S prosecutors say Citadel infected more than 11 million computers worldwide, causing financial losses of at least a half billion dollars.
- Citadel was sold in underground cybercrime markets. The time-consuming and most costly aspect of malware sales and development is to help customers with tech support problems that they may have in using the crimeware.
- In addition to that, one more innovation that Citadel brought to the table was to crowdsource some of this support work. This eased the burden on the malware’s developers and freeing them up to spend more time improving their creations and adding new features.
- It was due to such nature of Citadel’s support infrastructure that FBI agents used to locate and identify Vartanyan, who went by the nickname “Kolypto.” The core seller’s nickname of Citadel was “Aquabox”. FBI was keen to identify Aquabox and the programmers he had hired to help develop Citadel.
- FBI agents in June 2012, bought several licenses of Citadel from Aquabox. This happened as soon as the agents were suggesting tweaks to the malware that they could use to their advantage. Pretending to be as an active user of the malware, FBI agents informed the Citadel developers that they’d discovered a security vulnerability in the Web-based interface.
- Dimitry Belorossov, who also goes by Rainerfox, was sentenced to a prison term of four years, six months for distributing and installing the Citadel trojan.
- Mark Vartanyan, who was accused of developing and maintaining the Citadel trojan was given a five-year prison sentence.
