Citadel Malware May Be Coming Off the Open Market

Tuesday, July 03, 2012



Citadel malware, which has been available for sale on the black market via underground forums since January 2012, may be coming off the market, according to researchers with security provider RSA.

Continued upgrades to the malware by the malware's developers, along with its availability for purchase by criminal elements, have made Citadel one of the most popular Trojans in use today.

For example, S21sec researchers Mikel Gastesi and Jozsef Gegeny recently noted an adaptation in Citadel that acts to evade analysis of the malicious code by way of a virtual environment. The new function is an anti-emulator feature that works to prevent reverse engineering efforts necessary to understand how the malware operates, slowing down mitigation efforts.

"Citadel is the most advanced crimeware tool money can buy and is the only crimeware of its grade being marketed to fraudsters in open underground venues.  Comparable Trojans, like Sinowal, are all privately owned, but Citadel is taking the open market by storm and is continuing to evolve in sophistication.  Since its release, Citadel has seen 4 major upgrades (including v1.3.4.5) that addressed 'customer' concerns and fixed a long list of bugs originating in Zeus v2’s faulty mechanisms," reports RSA's FraudAction Research Labs.

The Citadel Trojan is a Zeus offshoot that can be used to commit online banking and credit card fraud by harvesting login credentials from compromised systems, and is openly available for purchase for about $2,500 with add-ons in the $1,000 price range, making the endeavor highly profitable for its developers.

"Citadel developers are making good money with this banking Trojan, and much like others before them, are beginning to feel the ground under their feet getting warmer as law enforcement becomes increasingly interested in their work," RSA states.

The increase in attention from law enforcement may be forcing the Citadel team to abandon its sales efforts, though the developers are likely to continue supporting the malware for their current customer base.

"With law enforcement hot on their heels, developers of the Citadel Trojan, who recently communicated the release of a new version (v1.3.4.5), dropped the bomb. The team’s spokesman declared that very soon their “software” will no longer be publicly available through the underground venues where the team has traditionally marketed and sold Citadel.  It appears that soon enough only existing customers will continue to enjoy Citadel Trojan upgrades and those wishing to purchase a new kit from the outside will have to get a current customer to vouch for them or be denied the product altogether," RSA reports.

The move could be motivated by several reasons, such as a ploy to boost sales by insinuating the malware will become unavailable for purchase. More likely though, is the developer's need to maintain the viability of the Trojan by better controlling its dispersal and the need to prevent over-use of the malware.

"While this could be a marketing stint designed to create urgency and generate more sales, Citadel’s developers could also be seeing the need to slow down sales. By selling less they can keep the Trojan from being all too widely-spread, which will invariably lead to more sampling and research and cause them the need to rework its evasion mechanisms," RSA speculates.

The move could also be motivated by a simple desire for self-preservation, as the increased use of Citadel in committing fraud raises the stakes for the developers from a legal standpoint, as law enforcement will be willing to concentrate more resources on bringing the franchise down for good - namely through focusing on the developers as opposed to the syndicates who employ the tool.

"History proves that malware coders know when to leave the room. To date, developers of popular Trojans like Zeus’ Slavik, SpyEye’s Gribodemon, and Ice IX’s GSS have never been arrested and we are seeing the Citadel’s team already taking measures to go deeper underground for their own safety," RSA concludes.


Possibly Related Articles:
Viruses & Malware
RSA malware Cyber Crime Crimeware Headlines Law Enforcement Black Market trojan Citadel
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.