Citadel Malware: The Growing ThreatFraudsters Combine Extortion with Account Takeover
It's not just the malware financial institutions have to worry about these days - it's also the complementary features and technical support that's often packaged along with malware, says Etay Maor, manager at RSA's FraudAction Research Lab.
Citadel, the latest Zeus variant to garner attention from security experts, is a prime example of how hackers are pairing sophistication with practical conveniences, says Maor, who oversees online fraud and cybercrime research at RSA, where he tracks emerging threats and monitors the global fraud infrastructure and communication channels.
He says Citadel is worrisome for "several reasons."
"These guys don't just sell you a trojan," Maor says. "They don't just sell you a piece of software. They offer support. They offer a knowledge database. They let you know which versions are coming and what changes they're going to make and implement in future versions."
Hackers selling and supporting Citadel have even established message boards for questions and answers about the trojan, Maor adds.
Ultimately, Citadel reflects a new kind of sophistication in the malware business - for today's hackers, software alone is not enough.
So what can banks and credit unions do to mitigate the risks they and their online customers and members face?
Maor says the best response is the same one bankers and security officers would apply to thwart any malware attack: layers of security.
"You won't hear me say, 'If you take or use this solution or this methodology, this one thing will help you,'" he says. "There's no such thing. It has to come in multiple layers."
Customer and member education is part of it. But it's only one piece. "The institutions need to look and see if the trojans that are out there are even targeting [them]," Maor says. "Who's looking to steal my information? Get an idea of what you're up against."
By incorporating device profiling, user profiling and behavioral analytics, institutions enhance their chances of early detection when a malware attack does occur.
During this interview, Maor discusses:
- How Citadel is continually evolving and even targeting mobile devices;
- Why consumer education and anomaly detection are the best defenses;
- Why the U.S. is being targeted.
Maor is manager at RSA's FraudAction Research Lab, the online fraud and Cybercrime research facility that tracks emerging threats and monitors the global fraud infrastructure and communication channels. Maor's teams analyzes emerging threats, such as new and evolving Trojans, phishing techniques, Botnets and the cybercrime underground economy.
Before moving to the Research Lab, Maor served as a senior member of the Online Threats Managed Services group at RSA, the security division of EMC, where he worked closely with global financial institutions, government agencies and other entities to facilitate various anti-phishing, anti-Trojan and intelligence services.
TRACY KITTEN: Citadel is a Zeus variant RSA has been researching for some time. What can you tell us about Citadel, and why is it so concerning?
ETAY MAOR: There are several reasons why Citadel is so concerning. First off, it has to do with the technical aspect. Citadel - which is actually a Zeus variant - probably the most popular financial Trojan out there - offers all of the previous Zeus options and some additional things. For example, Citadel offers a video capturing option. That means that anything that the user does will be captured in a video file and sent to the fraudster. In addition, Citadel offers advanced techniques to evade anti-virus detection. We've seen these types of techniques in the past with other Trojans, but Citadel just took it a notch up. In addition, Citadel also offers some advanced encryption techniques for the data they steal. A VNC option - that's a virtual network connection - allows hackers to take over the user's computer without them even knowing about it, and that's just in the technical sense.
What Citadel has done is they actually created a very interesting Citadel group or community. These guys don't just sell you a Trojan. They don't just sell you a piece of software. They offer support. They offer a knowledge database. They let you know which versions are coming and what changes they're going to make and implement in future versions. They have a community where you can ask and get answers about the operation of the Citadel Trojan, and they even went as far as going to the community and asking them, "What are our clients interested in? What are the next features you guys want to see in the next versions?" And they do a poll where they ask the users this question. It's a technically advanced Trojan, but also a group that knows that software is not enough. You have to have good PR and a good reach out to the community.
KITTEN: When was Citadel discovered and how has it evolved? And you've touched on some of the evolution, but how long has Citadel been out there?
MAOR: We saw Citadel for the first time in early 2012 ... end of January or beginning of February. But again, it's a Zeus offspring so even the guys who created Citadel say, "We just gave it a different name but we added a whole bunch of options and we're providing you with additional services on top." So Zeus has been around for years now. Citadel, this specific version, has been around for at least six months out there in the open.
KITTEN:The Federal Bureau of Investigation issued a new warning about Citadel attacks, which are now being waged in conjunction with the drive-by virus known as Reveton. Reveton is a type of ransomware that is often used to hijack computers. These so-called ransomware attacks are not new, and RSA has investigated ransomware attacks for a while. What can you tell us about ransomware, and why is it just now getting attention from federal authorities?
MAOR: We have been investigating it and we've seen ransomware in the past. Ransomware is a piece of software that freezes your computer and asks you for money. Usually we have seen this not just as ransomware, but also as careware. Typical careware scams were after something installed on your computer. It will tell you that your computer is not safe and you need to download this application to secure your computer and then it actually stole the money. Ransomware on the other hand locks down your computer, and we have seen these in the past where it gives you a message saying, "All the information on your computer is now encrypted. We didn't delete or change anything. It's just encrypted on a computer and you cannot touch it unless you pay us this amount of money." That's a typical ransomware case.
Now the reason that the federal authorities are now more interested in it is because in the latest surge of attacks - Citadel plus Reveton ransomware - they have actually used the FBI name as part of the attack. And what happened is you would receive a notification saying that the FBI locked down your computer ... due to the fact that you went to some child pornography site and you have to pay a fine and it will not give you access back to your computer unless you pay this fine. Now we have seen these types of attacks a lot in Europe. I can't recall a surge of attacks like this in the U.S.
Ransomware Coupled with Trojans
KITTEN: You've noted that Reveton is not something that you have researched specifically, but I did want to ask a little bit about the connection between Reveton and Citadel. Is it rare to see ransomware coupled with a financial Trojan?
MAOR: That's a good question. I don't recall any types of scams in the past, which kind of got me thinking, "What's going on here?" You have a sophisticated piece of code like Citadel. Why are you coupling that with ransomware, which is not something that I would typically expect? There are two things that come to mind. First of all, this might be a joint venture. What I mean by that is we do see a lot [of people] in the fraud underground that advertise their botnets. People go online and they advertise in one of the fraud forums saying, "I have a botnet and I have - for example - 100,000 people infected in the U.S. I'm selling this botnet." It may be that somebody has the Reveton ransomware and he wants to infect people. Well if you already have a botnet of people who are infected with Citadel, it's very easy to send something like this as part of an update file and infect these 100,000 people with this software.
A case that can be [made] here is that somebody approached an owner of a Citadel botnet and said, "I would pay you five dollars per every bot that you infect with my software," and they couple the two together. Another thing that might be happening is you have a group now who was simply satisfied to actually infect people, not just with Citadel but also with Reveton, just to get an extra hold on the victims' computers. They're saying, "OK, I have Citadel installed on the victim's computer. Why not try to get an extra amount of money from this person by locking down his computer with ransomware? We already have his username and password, and we can probably hack his bank account or corporate account, or whatever information we stole." [The malware] shuts down his computer and so we can get an extra $50, $100, $200 in the process.
Targeting U.S. Users
KITTEN: You've talked a little bit about the fact that Citadel is something that we've seen in other parts of the world, but of course it's targeting U.S. users now. Why do you think U.S. users are primary targets, and why do you think their bank accounts are primarily targets?
MAOR: I was actually referring to ransomware. We have had Citadel in the past, not just in Europe but in other parts of the world, and the U.S. as well, but you're right; it's targeting malware, with Reveton, U.S. bank accounts. Why's that happening? First of all, that's where a lot of the money is. One thing that we have seen in the past is different types of techniques being used in different places of the world in smaller numbers and then they just moved to the U.S. And after they have tried it in some place, they just change location and try it on a much larger audience, which is the U.S.
KITTEN: How well informed are consumers about these types of attacks?
MAOR: Consumers are getting informed, and I can tell you that today people are much more aware than they were two or three years ago. A lot of it also has to do not directly with financial Trojans, but the fact that people read about Trojans; they read about the kinds of cyberattacks like Flame, Stuxnet, and Duqu. They hear about these things and they're becoming aware of security in general, which is good.
Now people are getting aware of security, not just in the sense of national attack security, but their own private computers. People are aware, but it's still not enough. We should be reaching out more and people should be aware of this in a much broader scale. Software security and computer security is not there. How many times have you heard a mother tell her child, "Don't take candy from a stranger; look left and right before you cross the road"? Well, kids today are not outside as they used to be; they're much more on computers. The same thing goes for older people, and still computer security is not discussed enough. In fact, security is not sexy enough. When I think about it, when you go and buy a car, I'm pretty sure one of the first things you check is how safe it is. How safe is it for my family? But then again, when you go into a bank or when you start working with a credit card on a specific site, I don't think that people ask themselves enough: "Is this secure? Am I doing the right thing?" I think we're on the right path, but there's still a lot of work to be done.
KITTEN: I also wanted to ask about mobile devices. Do you see these types of attacks being waged against mobile?
MAOR: Citadel also has a module that targets mobile devices. ... I wouldn't say they're full-blown mobile Trojans yet, so they're using different techniques to intercept SMS, specifically SMS that are sent from the bank to the client, but they're moving in that direction. We've already seen rogue applications - applications that look like the bank might have put them online to aid the end user, but in fact they're not. They're bad applications. Or, they're not authorized by the bank. That's one thing. And we have seen Trojans that are targeting specific users that use SMS as part of their authentication to the bank, and these Trojans will persuade the end-users through some social engineering to install software on his or her mobile device and will actually be some sort of SMS interceptor, and any SMS that user receives will be then sent to the bad guys. So yes, we're seeing them starting to target the mobile devices as well.
KITTEN: When we take a step back and we look at some of these advanced persistent threats and cyber-attacks, generally, how do Citadel and Reveton attacks compare, and are they more threatening than other attacks RSA has researched?
MAOR: Well, it's a different type of an attack. You have to remember that when you're talking about cyberattacks and nation-sponsored cyberattacks, the goal is different. Usually when you're talking about a financial Trojan, your goal is to make an amount of money and you really don't care what happens later. That's not the case with cyber-attacks. With cyber-attacks, usually once you penetrate an organization and remain low and under the radar for as long as you can, you use different techniques to actually evade detection, but also you don't make the client aware. And even after you steal data, you still don't want to be detected. But interestingly enough, we're starting to see I wouldn't say a crossover but ... elements of what we see in cybercrime in financial fraud - and specifically I'm talking again about Citadel. Citadel has advertised that one of their modules will allow you to actually net the network of the infected computer. What happens is once Citadel is installed on the victim's device, it will run a set of commands on a command prompt. Of course, the user will not see this and those commands are network commands that will allow it to understand which computers are on this network, what IP. It will actually net the network and will send the result of this command to the botnet owner. Even if in the Citadel advertisement, in the underground forum, they said this will help you map if you're trying to get access into a company.
Steps to Secure Online Accounts
KITTEN: What steps should banking institutions be taking to ensure that online accounts are protected? How can they invest in solutions as well as educate consumers?
MAOR: There's an array of [steps] that banks and companies need to take to secure their users. You won't hear me say, "If you take or use this solution or this methodology, this one thing will help you." ... First of all, education is something that I'm all for. People need to be aware of the problem. That's a big thing. So having institutions educate their users as well as their employees about threats that are out there is something that's a must today.
In addition, you want to take the layered approach and try to see if there's anything out there that's actually targeting me. The institutions need to look and see if the Trojans that are out there are even targeting [them]. Who's looking to steal my information? Get an idea of what you're up against.
Once you have an idea of what you're up against, you need to protect your internal network as well, and not just your internal network, but if you have a logging page or anything of that sort. You need to make sure that whoever tries to access any sort of resource, be it an end-user trying to access a bank or an employee trying to access information which is confidential, you need to make sure that the username and password they're using [is] legitimate. Make sure that they really are who they claim they are. [Incorporate] things like device-profiling, user-profiling and behavioral-profiling and so on.
After that, when we're talking specifically about financial institutions, you want to make sure to have an additional layer where you monitor the transaction. Even if the user is who he claims he is, you want to make sure that if you see [someone] going in every day and moving $100, if [they] go in today and then move $40,000, something's questionable here. You want to take another look at that.
If we're talking specifically about the cases like Citadel and Reveton, one thing that I also suggest is, of course, educating the customers that they should not respond to anything that freezes their computer. The FBI will not ask them to pay a fine on their computer for going to a child pornography site. What you really want to do is call in an expert who will remove the threat from your computer, in this specific case ransomware crimeware.