Citadel malware, which has been available for sale on the black market via underground forums since January 2012, may be coming off the market, according to researchers with security provider RSA.
Continued upgrades to the malware by the malware's developers, along with its availability for purchase by criminal elements, have made Citadel one of the most popular Trojans in use today.
For example, S21sec researchers Mikel Gastesi and Jozsef Gegeny recently noted an adaptation in Citadel that acts to evade analysis of the malicious code by way of a virtual environment. The new function is an anti-emulator feature that works to prevent reverse engineering efforts necessary to understand how the malware operates, slowing down mitigation efforts.
"Citadel is the most advanced crimeware tool money can buy and is the only crimeware of its grade being marketed to fraudsters in open underground venues. Comparable Trojans, like Sinowal, are all privately owned, but Citadel is taking the open market by storm and is continuing to evolve in sophistication. Since its release, Citadel has seen 4 major upgrades (including v22.214.171.124) that addressed 'customer' concerns and fixed a long list of bugs originating in Zeus v2’s faulty mechanisms," reports RSA's FraudAction Research Labs.
The Citadel Trojan is a Zeus offshoot that can be used to commit online banking and credit card fraud by harvesting login credentials from compromised systems, and is openly available for purchase for about $2,500 with add-ons in the $1,000 price range, making the endeavor highly profitable for its developers.
"Citadel developers are making good money with this banking Trojan, and much like others before them, are beginning to feel the ground under their feet getting warmer as law enforcement becomes increasingly interested in their work," RSA states.
The increase in attention from law enforcement may be forcing the Citadel team to abandon its sales efforts, though the developers are likely to continue supporting the malware for their current customer base.
"With law enforcement hot on their heels, developers of the Citadel Trojan, who recently communicated the release of a new version (v126.96.36.199), dropped the bomb. The team’s spokesman declared that very soon their “software” will no longer be publicly available through the underground venues where the team has traditionally marketed and sold Citadel. It appears that soon enough only existing customers will continue to enjoy Citadel Trojan upgrades and those wishing to purchase a new kit from the outside will have to get a current customer to vouch for them or be denied the product altogether," RSA reports.
The move could be motivated by several reasons, such as a ploy to boost sales by insinuating the malware will become unavailable for purchase. More likely though, is the developer's need to maintain the viability of the Trojan by better controlling its dispersal and the need to prevent over-use of the malware.
"While this could be a marketing stint designed to create urgency and generate more sales, Citadel’s developers could also be seeing the need to slow down sales. By selling less they can keep the Trojan from being all too widely-spread, which will invariably lead to more sampling and research and cause them the need to rework its evasion mechanisms," RSA speculates.
The move could also be motivated by a simple desire for self-preservation, as the increased use of Citadel in committing fraud raises the stakes for the developers from a legal standpoint, as law enforcement will be willing to concentrate more resources on bringing the franchise down for good - namely through focusing on the developers as opposed to the syndicates who employ the tool.
"History proves that malware coders know when to leave the room. To date, developers of popular Trojans like Zeus’ Slavik, SpyEye’s Gribodemon, and Ice IX’s GSS have never been arrested and we are seeing the Citadel’s team already taking measures to go deeper underground for their own safety," RSA concludes.