Citadel Malware Now Updated with Remote Attack Capabilities: Could Lead to Banking and Financial User Data Being Compromised
Researchers state that the Citadel malware could now renew attacks via Remote Desktop Protocols and Virtual Network Connection tools.Reuters

Researchers at Trusteer, a Boston-based computer security division of IBM, now claim to have detected a new variant of the Citadel malware, that is known to attack users throughout the world and steal banking and finance related information.

According to an official blog post, security researchers state that Citadel has now been enhanced with the ability to exploit a device remotely, and thereby use the system as host to indulge in cyber-crime.

Citadel's enhanced ability comes in the form of Remote Desktop Protocol (RDP) and Virtual Network Connection (VNC).

"The security team at Trusteer, an IBM company, has just discovered a Citadel variant that takes this approach a step further, providing enhanced survivability for the attack as well as expanding this malware's capabilities to perpetrate targeted attacks on enterprises", states Etay Mayor, Senior Fraud Prevention Strategist, IBM Security, in the official blog post.

RDP and VNC protocols are widely used the world over by technical support teams to offer remote technical support to users.

Similarly, hackers can use Citadel malware remotely to obtain full control of a host computer system.

An important aspect here is that hackers using the updated Citadel malware get to access host systems via the Remote Desktop Protocol even after the malware has been detected and removed from the host computer.

"Additionally, Citadel offers the attacker the ability to run Windows shell commands. These commands are handy if the attacker wants to get a clearer picture of the network in which the infected PC resides, scan it and prepare the grounds for something more than just fraud. This type of network mapping is one of the first steps attackers take in targeted enterprise attacks", states IBM's Etay Maor.

According to Maor, the following shell commands are executed by Citadel via remote desktop processes:

  1. net user coresystem Lol117755C /add
  2. net localgroup Administrators coresystem /add
  3. net localgroup 'Remote Desktop Users' coresystem /add
  4. net accounts /maxpwage:unlimited

The above commands yield the following results correspondingly:

  1. Add a new Windows local user (username: "coresystem," password: "Lol117755C")
  2. Add the new user to the local administrator group
  3. Add the new user to the local RDP group
  4. Set the password to never expire

The above actions serve as agents for hackers to create 'backdoors' to resort to stealing confidential user information such as banking and financial transactions related data.

"Citadel operators are clearly investing in their attack's survivability as well as using the malware's features to target companies, and not even for its original target: financial fraud," adds Mr Etay Maor.

In the backdrop of Citadel receiving enhanced remote capability, it is imperative that cyber-security experts around the world come together, to develop effective malware combat mechanisms.