Popular financial trojan Citadel gets a makeover as a corporate spy
The Citadel trojan, a popular program used by cybercriminals to gather banking credentials and steal money from accounts, has become the latest financial malware to be repurposed as a tool to steal industrial secrets—this time from petrochemical companies in the Middle East.
During mid-summer, unknown attackers used the program to gather data, including e-mail messages and credentials, from the firms, IBM Trusteer stated in an analysis published on Monday. The company’s researchers identified Citadel as the malware used to infect and steal data from the companies, which included “one of the largest sellers of petrochemical products in the Middle East and a regional supplier of raw petrochemical materials,” the analysis stated.
The attack shows that either cybercriminals are branching out into stealing valuable industrial secrets or that industrial and nation-state spies are using off-the-shelf malware and opportunistic infections to gather sensitive information, says Dana Tamir, director of enterprise security for IBM Trusteer.
“We are seeing a trend, where these programs are no longer dedicated to financial fraud or just stealing money,” she says. “They can easily be turned into advanced tools to target specific companies and infiltrate their systems.”
Unlike most modern espionage attacks, this particular Citadel campaign did not initially focus on the targeted companies. The attackers used techniques for the massive infection of systems more common to cybercriminals, such as broad phishing campaigns to create a network of compromised computers. Yet, once infected, the compromised systems connected to a command-and-control server to get specific commands in the form of a configuration file. For specifically targeted domains belonging to petrochemical companies, the attackers sent a command file that configured the system to send back a variety of data, Tamir says.
Used as an espionage tool, Citadel would log access to e-mail servers and other websites and send the data to the group’s command-and-control server. In addition, like most modern banking malware, Citadel can perform a variety of other activities, such as logging all keystrokes, taking screenshots, modifying webpages seen by the victim, and evading analysis. Other banking malware, such as Zeus and SpyEye, have been used in the past to steal corporate secrets. About 1 in 500 machines are infected with advanced malware that targets sensitive or financial information, according to IBM Trusteer.
In many ways, the Citadel operation resembles that of another banking trojan, named Dyre, that has—in very specific instances—targeted corporate data kept by customer management, in-the-cloud firm Salesforce. In those cases, Dyre downloads a configuration file that causes it to search for and steal the credential used to log in to Salesforce.
The use of banking trojans for the more general theft of sensitive information may be a sign that cyber espionage is becoming more industrialized, says Avivah Litan, a security analyst with business intelligence firm Gartner. Financial fraud is already very industrialized, from commodity trojans to botnet services to marketplaces for stolen data such as credit card information. With the same malware being repurposed for spying, other parts of the cybercrime ecosystem will likely follow, she says.
“Financial crime is now commercialized, and now industrial espionage is becoming that way,” Litan says. “Whether it is a rogue insider, a financial fraudster or a spy, they are typically using the same techniques.”
IBM Trusteer declined to name any of the affected companies and did not speculate who was behind the attacks. So far, the company has detected fewer than 10 affected firms. The security firm notified the affected companies earlier this summer, IBM Trusteer’s Tamir says.