SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
21 Nov 2014

Citadel variant targets password managers

The Citadel Trojan has once again branched out beyond its roots as banking malware and is now targeting the master passwords guarding major password management products.

Researchers from IBM Trusteer said they’ve notified makers of the nexus Personal Security Client, Password Safe and KeePass about a new configuration file found on an infected computer targeting processes used by the respective password management tools.

“It instructs the malware to start keylogging when some processes are running,” wrote Dana Tamir, director of enterprise security at IBM Trusteer. Tamir said the Personal.exe process in nexus Personal Security Client, PWsafe.exe from Password Safe and KeePass.exe are called out by the new Citadel configuration files. In each case, the malware seeks out and captures the master password that unlocks the password database stored by the password management tool.

NeXus Personal Security Client is cryptographic middleware used in enterprise and service provider locations to secure financial transactions, ecommerce and other services from the desktop. Password Safe, meanwhile, is an open source tool built by Bruce Schneier. KeePass is also a free, open source password manager, but it uses a random password generator preventing the user from having to come up with individual passwords. The Trojan, however, sidesteps that protection by stealing the master password.

“An analysis of the configuration file shows that the attackers were using a legitimate Web server as the C&C,” Tamir said. “However, by the time the IBM Trusteer research lab received the configuration file, the C&C files were already removed from the server, so researchers were not able to identify who is behind this configuration.” 

Tamir could not confirm whether these are opportunistic or targeted attacks. IBM said it has notified the respective vendors in order that users might be notified as well. Citadel, like most widely distributed malware families, is crossing over more and more from the realm of cybercrime to APT-style targeted attacks. New features and a hunger for legitimate credentials make the malware, which is already sitting on hundreds of thousands of machines, particularly dangerous to critical infrastructure, in addition to financial services.

In September, a Citadel variant was used in attacks against petrochemical companies in the Middle East. IBM said at the time that the repurposed versions of Citadel were going after email credentials in order to phish others within an organization or gain deeper access to a compromised network. Tamir estimates that one in 500 computers is infected with malware used in targeted APT attacks.

“Since millions of machines are already infected with Citadel, it is easy for attackers to take advantage of this malware in new cyber schemes,” Tamir said. “All attackers need to do is provide a new configuration file to the millions of existing instances and wait for infected machines to access the targets.”

Citadel can sit dormant on an infected computer until a user lands on a particular site; depending on how the malware is configured, it can be triggered by visiting a specific online banking site or web-based email log in. “It can stay idle on a user’s machine for weeks, months and even years until it is triggered by a user action,” Tamir said. “This means that many users and organizations do not know that their machines are already infected, and the existing infection can be quickly turned against them.”

Tags:
Citadel Trojan APT password Password Safe KeePass information leaks
Source:
Threatpost
2014
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015