The Citadel Trojan has once again branched out beyond its roots as banking malware and is now targeting the master passwords guarding major password management products.
Researchers from IBM Trusteer said they’ve notified makers of the nexus Personal Security Client, Password Safe and KeePass about a new configuration file found on an infected computer targeting processes used by the respective password management tools.
“It instructs the malware to start keylogging when some processes are running,” wrote Dana Tamir, director of enterprise security at IBM Trusteer. Tamir said the Personal.exe process in nexus Personal Security Client, PWsafe.exe from Password Safe and KeePass.exe are called out by the new Citadel configuration files. In each case, the malware seeks out and captures the master password that unlocks the password database stored by the password management tool.
NeXus Personal Security Client is cryptographic middleware used in enterprise and service provider locations to secure financial transactions, ecommerce and other services from the desktop. Password Safe, meanwhile, is an open source tool built by Bruce Schneier. KeePass is also a free, open source password manager, but it uses a random password generator preventing the user from having to come up with individual passwords. The Trojan, however, sidesteps that protection by stealing the master password.
Tamir could not confirm whether these are opportunistic or targeted attacks. IBM said it has notified the respective vendors in order that users might be notified as well. Citadel, like most widely distributed malware families, is crossing over more and more from the realm of cybercrime to APT-style targeted attacks. New features and a hunger for legitimate credentials make the malware, which is already sitting on hundreds of thousands of machines, particularly dangerous to critical infrastructure, in addition to financial services.
In September, a Citadel variant was used in attacks against petrochemical companies in the Middle East. IBM said at the time that the repurposed versions of Citadel were going after email credentials in order to phish others within an organization or gain deeper access to a compromised network. Tamir estimates that one in 500 computers is infected with malware used in targeted APT attacks.
Citadel can sit dormant on an infected computer until a user lands on a particular site; depending on how the malware is configured, it can be triggered by visiting a specific online banking site or web-based email log in. “It can stay idle on a user’s machine for weeks, months and even years until it is triggered by a user action,” Tamir said. “This means that many users and organizations do not know that their machines are already infected, and the existing infection can be quickly turned against them.”