Citadel financial malware used in attacking petrochemical companies

A Citadel variant has been used against several Middle Eastern petrochemical companies, marking the first time the financial malware has been found in targeted attacks against companies.

Trusteer, the IBM security firm that made the discovery, declined to identify the companies whose names were found in configuration files in the malware. Trusteer did not know whether the companies' systems were actually infected with the software.

Nevertheless, the finding opens a new chapter in the sophisticated malware typically distributed through phishing attacks launched from botnets of thousands of infected PCs.

Citadel has proven particularly effective in stealing consumers' online banking credentials. Last year, Microsoft reported disrupting nearly 90 percent of Citadel botnets worldwide in a takedown operation that also involved the FBI and partners in technology and financial services.

Citadel's advanced capabilities in evading anti-virus software and stealing data make it particularly useful in targeted attacks against enterprises, Dana Tamir, director of enterprise security at Trusteer, said Tuesday.

"Citadel is highly sophisticated," Tamir said. "Data exfiltration and evasive techniques were added to it, making it a very powerful tool."

The malware is especially good at stealing login credentials from an infected computer's Web browser. The variant analyzed by Trusteer was configured to watch for the login URL of webmail systems.

When a PC user types in his login credentials, the malware grabs the username and password and sends them to its command and control server. From there, the attacker can use the credentials to log into the email account and steal corporate communications.

In addition, the attacker can use Citadel to commandeer an infected computer, providing access to other systems connected to the same network.

Trusteer believes the attackers behind the Citadel variant were going after organizations with infected systems that were already part of a botnet, Tamir said.

The use of botnet-distributed financial malware in targeted attacks is not new. Besides Citadel, Trusteer has found variants of Zeus, SpyEye and Shylock designed to steal corporate data.

"Every customer environment we work with we find variants of either Zeus or Citadel or SpyEye or some other financial malware," Tamir said.

Regions of the world with the highest rates of infection include the United States, the United Kingdom and Saudi Arabia, according to Trusteer. Infection rates in those areas ranged from 0.24 percent to 0.26 percent, based on the number of infected computers per 10,000 machines.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationscitadel botnetIBMCitadelsoftwarefbidata protectionmalwareTrusteerfinancial malwareMicrosoftsecurity

More about CitadelFBIMicrosoftTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place