Labs Paper Looks ‘Inside the World of the Citadel Trojan’

Zeus “banking” malware and its variants have been making headlines in recent months. One variant, the Citadel Trojan, has now taken the spotlight with the news of its withdrawal from the open crimeware market.

Recently the author of Citadel, Aquabox, has been banned from a large online forum that sells malware and other services to cybercriminals. Some in the security industry predict that this will be the downfall of the Citadel Trojan; this very well may be the case. However, at the moment McAfee Global Threat Intelligence shows that Citadel remains a very active threat and continues to target victims in several countries. As with any sophisticated malware—such as Zeus and SpyEye—that ceases development, this Trojan’s use will continue as long as it provides value to cybercriminal operations.

McAfee Labs concludes that some groups—and especially the “Poetry Group”—have shifted tactics to use Citadel in ways other than what it was originally intended for. We also see from our telemetry data gathered from the field that Citadel still remains active in many parts of the world.

The Poetry Group

Summary of the group’s activity:

  • 27 Japanese government offices compromised across three distinct campaigns
  • 43 government offices targeted in Poland
  • Victims found in Poland, Denmark, Sweden, Spain, Netherlands, Estonia, Czech Republic, Switzerland, and Japan
  • More than a half-dozen campaigns conducted by this group since October 2012
  • Compromised more than 1,000 victims worldwide with their campaigns

This group has been actively using Citadel to target government offices around the world since October 2012. From our field telemetry, we were able to pinpoint the regions and identify targets and victims spanning more than a half-dozen campaigns.

Our threat map shows that their focus remains on Poland and Denmark, which have the highest infection numbers. Japan is the next most popular target.

20130131 Citadel ThreatChart

One interesting campaign that we also observed in our research infected 13 victims in Poland, all in government offices. This was a very targeted campaign indeed, focusing at first on selective targets across the country. The campaign began late in December 2012 and ended on Jan 23. Furthermore, we found a list recovered from process memory pertaining to certain city-level government domains in Poland. Many of the telemetry hits matched government offices in the targeted city, which led us to conclude that the group was using this list as a filter to target certain local government sites.

The group orchestrating these attacks embeds strings of poetry as a string-table resource in the malware binary. Many of these poetic statements are rather cryptic and are quoted from Shakespeare. At first glance they appear meaningless. However, in some cases we found political comments referencing the target country.

In one of the malware binaries, the group made a rather harsh statement toward Poland, which to date has had 379 victims of this Citadel campaign.

20130131 Citadel stringtable

This type of targeted messaging goes hand in hand with another reference made toward Denmark, which followed Poland in magnitude with 218 infected victims.

After an analysis of 300 unique Citadel Trojan samples, we conclude that the poetry strings are not caused by a common tool nor or they included in Citadel by default; they are the work of the Poetry Group. We suspect that Poetry Group may be a byproduct of a for-hire data-gathering operation for a private clientele; and their tool of choice is Citadel. McAfee Labs will continue to monitor their activity.

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from McAfee Labs

Back to top