Citadel Trojan Updates with Dynamic Config Mechanism that Streamlines Fraud Activity

Type threatpost
Reporter Michael Mimoso
Modified 2013-04-17T16:31:22


Citadel TrojanThe elusive authors of the Citadel Trojan have released a new version of their banking botnet malware and service. The latest version, the sixth since it debuted in January and dubbed Rain, includes a dynamic configuration mechanism that allows botmasters to inject malicious content to compromised browsers on the fly. This real-time interaction with bots avoids the need to send an updated configuration file to the entire botnet and lessens the risk of detection by security operations.

“Now this is done through their administration panel; this is a big deal,” said Limor Kessem, an intelligence expert with RSA Security’s FraudAction Research Lab. “Now they can directly communicate from command and control to a bot. It’s a much quicker interaction when doing real-time fraud. This shows us that this team is really serious. Their development skills are very strong; these are not amateurs.”

The Dynamic Config injection mechanism keeps a botmaster from having to open external communications channels to send injection files or updates to configuration files. Once a victim is compromised, Kessem said, the botmaster can use HTML or Javascript injections on legitimate banking or ecommerce pages and via a Javascript popup, for example, ask a user for additional log-in or personal information such as date of birth or a Social Security number.

“It’s like social engineering built right into a legitimate page,” Kessem said. “If they can do it from an administrative panel, that makes the just that much easier.”

A botmaster can also now target specific bots using Dynamic Config, albeit in a much more manual way, or section off the bots under their control regionally and push injection files accordingly, for example only sending injections targeting American banks to U.S.-based compromised machines.

For now, the authors are using Dynamic Config only for injection files. A real game-changer, Kessem said, would be if the botmasters would be able to update configuration files in a similar manner.

“This is the way to go. It would give them a lot more flexibility,” she said.

Every Trojan sent to a bot has a configuration file which guides its actions. It spells out functionality, what system resources to use, where it should go for updates, where to drop credentials, how often it gets updates from C&C, payloads for specific targets and even the ability to detect and shut down antivirus protection on an infected machine.

“If they end up being able to implement more things into the Trojan in a dynamic way, like cutting down the time to update files, that will make things faster and seamless,” Kessem said.

Citadel is built off of the Zeus Trojan source code, however it is closely guarded by its keepers. It is sold only on two Russian-speaking underground forums, and the authors are careful about who they sell to in order to keep support costs down and prevent infiltration by law enforcement. During the summer, the authors indicated that Citadel would no longer be publicly available. Currently, a current customer must vouch for a new buyer, Kessem said. The price for the latest version of Citadel also skyrocketed 40 percent to $3,391, up from $2,399.

Dynamic Config is designed into Citadel’s Fraud-as-a-Service model. The authors also outsource some of the malware writing, granting temporary access to the botnet to send in new injection files for a fee.

“The injection sellers could create and save their work, get paid by the piece and work with multiple botmasters,” Kessem said. “The botmaster can oversee the whole operation and enjoy using the injections as soon as they are ready, applying them to infected machines of his choice, or the whole botnet.”

Citadel runs an open source development model of sorts. It has its only customer relationship management system, support team and forums where buyers can discuss problems. There are even extra services, Kessem said, where programmers can advertise their expertise at encryption or injection writing.

“This is a Trojan that’s very concentrated on buyers in a very specific region. It is the ‘it’ thing in the underground,” Kessem said. “Everyone is looking for it and wants to buy it; you can only rent it, not have it. It’s considered the best commercially available Trojan.”