Experts at IBM Trusteer security firms have discovered a massively distributed Citadel trojan targets Middle Eastern Petrochemical companies.

Researchers at IBM Trusteer have recently discovered targeted cyber attacks using a variant of the popular Citadel trojan on several Middle Eastern petrochemical companies. The Citadel Trojan is a malware designed to steal personal information, including banking and financial data, from infected machines. The Citadel Trojan was first discovered in 2012 and  it is based on the source code of the banking trojan Zeus. Security experts have discovered numerous Citadel botnet over the years used to run large scale scams.

The experts consider the discovery as the first time Citadel trojan is used to target nonfinancial entities in a targeted for corporate espionage.

“The targets of this attack include one of the largest sellers of petrochemical products in the Middle East and a regional supplier of raw petrochemical materials. IBM has worked with the appropriate channels to responsibly disclose this information to the targeted companies.” reports a blog post published by SecurityIntelligence.

The availability online of the Zeus source code has made possible a significant improvement of the Citadel malware whom functionalities are improved by several malware authors. The latest versions include sophisticated remote management and data stealing capabilities. In the specific case, threat actors configured Citadel bots to spy on users’ activity on certain URLs (e.g. “http://mail.target-company.com,”), such as the webmail of the targeted companies, and to grab every data provided in the form. The information collected through the form grabbing is sent to the a C&C server managed by cyber criminals, who can then log in on behalf of the victim, access corporate emails and manage his email account.

“Once Citadel is installed on a machine, it fetches a configuration file from one of its command-and-control servers. The configuration file instructs Citadel on which websites and applications to target, which information to steal and how to steal it. According to an analysis of the configuration file used in this attack, the Citadel malware was instructed to look for user access to certain URL addresses of Internet-connected systems, such as webmail, of the targeted companies. Once the browser accesses such a URL, the malware is instructed to grab all the information submitted by the user. This is known as form grabbing, or “HTTP POST” grabbing. When the user submits information into the system, the Web browser generates an HTTP POST request that sends the data entered to the site. The malware then intercepts the POST data before it is encrypted and sent to the server.” continues the post.

o1

The functions available with Citadel Trojan and other malware families include:

  • Keylogging: Recording the user keystrokes and sending them to the attacker.
  • Screenshot capturing: Recording the browser session, including all the information that is displayed to the user.
  • Video capturing: Recording a video stream of a browser session, including all the information that is displayed to the user.
  • Form grabbing (HTTP POST grabbing): A method used to acquire user input from a Web data form before it is sent to the user. HTTP POST grabbing has multiple advantages compared to other information-stealing methods such as keylogging and screenshot capturing. Capturing the data in the form just before it is sent to the server enables the attacker to capture the real, complete data the user entered, even if the user entered it using a virtual keyboard or copied and pasted it into the browser.
  • HTML injection: A method used to inject HTML content into a legitimate Web page in order to modify it and steal information from the user. It is often used to display fake security warnings and customized text requesting additional information during login, account navigation and financial transactions.
  • Remote execution of command line instructions: Enables the operator to collect data and change settings on one or more remote computers.
  • Remote control of the infected machine: Allows complete control over the PC and full access to the corporate network. It is typically done via a graphical, desktop-sharing system that is used to remotely control another computer, such as virtual network computing tools.
  • Advanced evasion techniques: Designed to evade antivirus and other traditional security controls.
  • Anti-research techniques: A variety of sophisticated features designed to thwart malware researchers from analyzing the malware and understanding its internal operations or attack methods.

The above features make this category of malicious code very effective for targeted attacks and in the past many APT groups have already exploited these kind of source codes.

APTs use to compromise their targets adopting similar malware in malicious phishing campaigns, drive-by downloads attacks, watering hole attacks and social engineering schemes as confirmed by the experts at Trusteer.

“IBM Trusteer research found that an average of 1 in 500 machines worldwide is infected with massively distributed APT malware at any point in time. IBM Trusteer’s Service team reports that they have discovered such malware in practically every customer environment in which they’ve worked.”

Let’s close the post with an interesting couple of graphs proposed by the IBM Trusteer research team, which show the geographic distribution of APT malware infection rates:

o3

Pierluigi Paganini