Inner workings of Citadel malware exposed

Malwarebytes gives blow by blow account of pernicious Trojan’s code and deployment.

Laptop and virus

Anti-malware company Malwarebytes is warning consumers of the dangers around one of the Zeus crimkekit's more recent offspring, Citadel.

The Trojan is used by criminal gangs to either steal or extort money from unwitting users. Infected computers can also be turned into bots' in a botnet and silently used to proliferate the malware.

Advertisement - Article continues below

In a blog post, Malwarebytes analyst Jerome Segura has demonstrated how one of the newer version 1.3.4.5 of the Trojan, is ordered almost like a normal software from crime rings specialising in this type of cyber crime. It also demonstrates how Citadel circumvents most anti-virus programmes by blocking them before it is recognised.

Keylogging and stealing personal details can go on secretly for some time.

Citadel first appeared in January 2012 and can be used in one of two ways. The first and, according to Malwarebytes, most common function is to run silently and invisibly in the background, logging key strokes and capturing images and videos of victims computers. The primary aim of this type of attack is to covertly steal people's bank details and defraud them.

The second, less common method of attack, but one which is of greater concern to the FBI, is an extortion attack, carried out through the deployment of a ransomware known as Reveton. This program locks the computer, posing as an FBI imposed lockdown, and demands a payment in order to make it operational again.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

A Malwarebytes spokesperson told IT Pro he believed the FBI was focused on the second element of the Citadel threat as it is more concerned about Reveton in general.

"[Reveton] is abusing [the FBI] brand name to extort money from people. This is obviously very serious, but is only a part of the wider Citadel threat. Keylogging and stealing personal details can go on secretly for some time, but once a piece of ransomware exposes itself then it is the final blaze of glory for any piece of malware," he said.

To avoid infection by Citadel, the spokesperson advised all PC users to use Malwarebytes Anti Malware, to ensure it is running the most up-to-date versions of all software and to avoid clicking on links they don't recognise as far as possible.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/mobile/mobile-security/355889/parachute-introduces-superlock-feature
mobile security

Parachute's Superlock feature keeps your phone recording in an emergency

2 Jun 2020
Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020

Most Popular

Visit/operating-systems/ios/355935/apple-confirms-serious-bugs-in-ios-135
iOS

Apple confirms serious bugs in iOS 13.5

4 Jun 2020
Visit/mobile/5g/355911/the-uk-pivots-to-japan-for-5g-equipment
5G

The UK looks to Japan and South Korea for 5G equipment

4 Jun 2020
Visit/security/ransomware/355945/new-ransomware-uses-java-to-target-software-organisations
ransomware

Tycoon ransomware discovered using Java image files to target software firms

5 Jun 2020