Point of sale devices and Canadian banks targeted by Citadel malware variant

Citadel. Image from ShutterstockAs Naked Security has described before, the highly prevalent Citadel crimeware toolkit has gone beyond its Zeus/Zbot origins to become one of the most sophisticated information-stealing Trojans on the web.

We recently discovered a Citadel sample that suggests a disturbing shift in focus by the cybercriminals running the Trojan.

Most Citadel kit owners configure their bots to target a wide range of banks and popular websites.

Citadel will grab credentials entered into forms and inject code into the webpages so that victims enter more information such as PIN numbers and answers to secret questions.

The cyber criminals operating the Citadel botnet usually aim to capture as many login credentials from as many different sources as possible. This generally yields results that are heavy on quantity but not necessarily so great on quality.

In fact, the volume of data gathered often makes it hard to find the genuinely high-value data in amongst the tat.

SophosLabs have been tracking one particular strain of Citadel that is much more specific about its targets, aiming to capture higher quality data at the sacrifice of quantity.

Point of sales device. Image from ShutterstockThe configuration file that this sample downloads shows that it is targeting a small number of financial institutions all based in Canada including one company that processes payments from Point Of Sale devices and credit and debit cards.

Accounts at this type of firm may have access to huge numbers of card details, which would give the attacker a very high return for each stolen account.

Information is acquired through screen captures, form field grabbing and through logging keystrokes. A screenshot is captured every time the left mouse button is clicked while browsing the payment processing website. Each screen capture centers on the mouse button and is sent back to the botnet owner:

Screen capture

Form data is also grabbed and sent back, including usernames and passwords:


Citadel configuration files also contain a section named “Keylogger processes” that details a list of processes from which key strokes will be logged. This means every time the victim types anything – usernames, passwords and card details are of particular interest – into one of those applications all the keystrokes will be sent back to the botnet owner.

We can clearly see what kind of victims this gang of criminals are interested in from the list of process names in the configuration file:

List of processes

Together with applications used for remote access such as Putty, SCP, VNC, GotoMyPC and PCAnywhere, we see process names such as “*store*”, “*pos*”, “*merchant*”, “*sales*” that are likely to be associated with processing payment card data. We can also see financial software being targeted such as Sage and Quickbooks.

The section in the configuration file that details the extra code that will be injected into webpages targets only Canadian banks and prompts users to enter many more personal details than would normally be required – including PIN numbers, answers to security questions and mother’s maiden name.

Interestingly, the owners have named this botnet “test” implying that this campaign is in the developmental stages and further enhancements are likely.

This configuration file shows how flexible and powerful the Citadel platform is. We can see how a malware sample can be transformed from a general purpose password stealer to a highly dangerous and targeted threat with the potential to compromise extremely valuable accounts through a few changes to its configuration data.

It also highlights a worrying trend: that crimeware kit owners are becoming more adept at using the kits they have purchased, allowing them to tailor attacks for specific high return targets, meaning that a single breach could have devastating consequences for a victim organisation.

Sophos Anti-Virus on all platforms detects and blocks this malware as follows:

• In files, as Troj/Zbot-DSP

• At runtime, as HPmal/Zbot-C

• In memory, as Troj/ZbotMem-B

Point of sale device and citadel images from Shutterstock.