A crimeware toolkit believed to be behind some of the most lucrative attacks targeting the financial industry is being taken offline by its authors, who are fearful law enforcement is closing in on their location, according to researchers at RSA’s FraudAction Research Labs.
In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud.
The Citadel malware toolkit, an advanced attack platform designed to create sophisticated financial malware, was given one last update before its authors declared it would no longer be publicly available for purchase, according to RSA researchers who are monitoring the Russian hacker forum where the toolkit has been sold.
Citadel is believed to be as dangerous as Zeus and SpyEye malware families, which have wreaked havoc on banks and other financial firms in the United States and abroad. The Citadel malware authors created a business model that enabled users to request additional functionality and tweaks. It is sold for up to $2,500 and receives regular automated updates to enable the malware to avoid detection by antivirus software and other signature-based antimalware technologies. Additional toolkit plug-ins, which increase the crimeware’s functionality and effectiveness, sold for up to $1,000 each, the RSA team said in a blog entry detailing the malware toolkit.
Israeli security firm Seculert described the functionality of Citadel in a blog post in February, calling it an open source malware project. Like many toolkits, Citadel contained AES encryption, functionality to avoid tracking via command-and-control servers, and blacklist functionality to block victims from accessing security vendor websites. The malware toolkit enabled cybercriminals to redirect users to a spoofed banking website, which would install additional malware on the victim’s machine and enable the ability to record videos of activity on the victim’s machine.
“Comparable Trojans, like Sinowal, are all privately owned, but Citadel is taking the open market by storm and is continuing to evolve in sophistication,” according to RSA researchers. “Citadel developers are making good money with this banking Trojan, and much like others before them, are beginning to feel the ground under their feet getting warmer as law enforcement becomes increasingly interested in their work.”
FBI warns of Citadel ransomeware
The Citadel malware platform is also used to deliver ransomware, according to an FBI warning issued May 30. The attack technique reported to the FBI freezes a victim’s screen and displays a warning that the victim has violated United States federal law. The victim is then given instructions in how to pay a $100 fine.
“The geographic location of the user’s IP address determines what payment services are offered,” the FBI said. “In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud.”
Going underground boosts longevity
The tactic of taking the Citadel toolkit off the market increases its longevity, said the RSA researchers. A toolkit that becomes widely used gains attention of researchers and investigators, making it difficult to create techniques to evade security software. It is likely that existing users of the toolkit will continue to receive updates, the RSA team said.
“Looking to the surrounding cybercrime arena, history proves that malware coders know when to leave the room,” according to RSA. “To date, developers of popular Trojans like Zeus’ Slavik, SpyEye’s Gribodemon and Ice IX’s GSS have never been arrested and we are seeing the Citadel’s team already taking measures to go deeper underground for their own safety.”