Cybercriminals are using a new version of the dangerous Citadel Trojan, which has been employed to attack the financial and petrochemical industries, to compromise password and authentication solutions, IBM Trusteer has reported.
The new version begins capturing keystrokes, or keylogging, when some processes are running.
It was discovered on a server that already had been infected when IBM Trusteer Apex was installed — it’s not clear how the machine became infected.
The malware targeted three processes.
One is “personal.exe,” a process that belongs to “neXus Personal Security Client .
Another is PWsafe.exe. This process belongs to “Password Safe,” FOSS software that runs on Windows XP, Vista, and Windows 7 and 8 that has logged over 4 million downloads.
The third is KeePass.exe. This process belongs to the “KeePass” open source password manager.
Capturing any of these three will let attackers unlock and access the entire user and password database it protects.
“The vulnerabilities in the personal password managers have been known to the security community for quite a while,” remarked Philip Lieberman, president of Lieberman Software. “I’m surprised it took so long for [them] to be exploited.”
The attack “doesn’t exploit a weakness in the password manager’s system,” Jonathan Sander, of the research and strategy office at StealthBits TechnologiesStealthBits Technologies, told TechNewsWorld. It uses the well-known technique of spearphishing, and “the only spin is the bad guys are targeting the key to the keys to the kingdom, your password manager password.”
The Magical Mystery Malware Maker
The attackers used a legitimate Web server as the command and control server, but the C&C files were removed by the time the IBM Trusteer researchers received the configuration file, so they couldn’t identify the cybercriminal behind this new version.
Citadel is highly evasive and can bypass most threat detection security systems, IBM Trusteer said. It can remain idle on an infected machine for years until it’s triggered by a user action.
“Citadel, just like Zeus, has increased in complexity over the years and adapted quickly to the signatures and other detection patterns researchers are looking for,” said Jerome Segura, senior security researcher at Malwarebytes.
Citadel improved its encryption by using a combination of RC4, base64, and XOR or even steganography to hide its configuration file, Segura told TechNewsWorld.
Getting Better All the Time
Citadel is a variant of Zeus, a really-hard-to-kill Trojan horse that has been used to steal banking information through keystroke logging and form grabbing, and to install the CryptoLocker ransomware.
Any keylogger can grab user credentials from password managers, but Citadel, like other banking Trojans, is set to become active only at certain times, such as when users navigate to banking websites, Segura pointed out. This prevents clogging the database with every keystroke users type.
These variants of Zeus “can and will evolve on a near-daily basis,” Lieberman told TechNewsWorld. “This is essentially trench warfare with daily modifications of techniques.”
Protection Against Citadel
Vendors should provide one-time access cryptography that limits the number of credentials that can be extracted at any one time with each challenge, and use external tokens, Lieberman suggested. They also should add centralized servers with password rotation and multifactor authentication.
However, “many of these improvements will not happen, because the business model of the vendors does not provide the financial incentives and budget to implement remediation technology,” he pointed out. This is “especially true” of open source vendors.
Businesses should use a central storage technology of passwords that uses tokens providing unique, one-time access, Lieberman said. More aggressive scanning of end points and more sophisticated perimeter security is needed, but smaller companies don’t have the money or expertise for this.
Consumers should “be aware that others may have the ability to take over their machines while they are away,” he advised, and should keep an eye on suspicious banking activities, email logons and activities that need their credentials. They should use multifactor authentication for banking and financial sites, and for wired transactions.