Citadel Trojan snooped on password managers to snatch victims' logins

And then vanished into the night

6 Reg comments Got Tips?

Crooks have unsheathed a variant of the Citadel Trojan that targets password managers.

The malware is designed to steal a victim's master passphrase, thus unlocking his or her database of website passwords in the process. The software nasty runs a key-logger to intercept what people type into the Password Safe and KeePass open-source password management software on infected Windows PCs.

The neXus Personal Security Client – an authentication product used by big biz as well as online service providers – is also targeted.

A full technical analysis of the Citadel malware is published here: it works by injecting itself into explorer.exe processes and hooking into APIs. It also downloads a configuration file from a central command server.

"[The configuration file] instructs the malware to start key-logging (capturing user keystrokes) when some processes are running," Dana Tamir, director of enterprise security at IBM Trusteer, explains in a blog post.

It's not clear how widespread the malware infection is, nor who is masterminding it. The crooks involved scrubbed their central command-and-control (C&C) server some time shortly before Trusteer latched onto the contagion.

"Once Citadel installs on a machine, it opens communication channels with a command-and-control (C&C) server and registers with it. The malware then receives a configuration file that tells it how it should operate," explained Tamir.

"An analysis of the configuration file [used by this variant of Citadel] shows that the attackers were using a legitimate web server as the C&C,. However, by the time the IBM Trusteer research lab received the configuration file, the C&C files were already removed from the server, so researchers were not able to identify who is behind this configuration."

IBM Trusteer has passed on its research to the makers of the targeted software. ®


Biting the hand that feeds IT © 1998–2020