A Brief Look at the Citadel Banking Trojan

• Citadel is a banking trojan that was initially discovered in 2012. It is based on the Zeus trojan’s source code.
• This trojan is designed to steal sensitive information including financial information and passwords.

The Citadel is known for targeted attacks on public and private organizations to steal credentials of various information management systems, money, and also to infect systems with a range of malware. In fact, this is one of the first trojans to offer malware-as-a-service on the dark web.

Citadel’s capabilities

Using the man-in-the-browser (MiTB) technique, that involves injecting HTML or JavaScript into a web page, this trojan harvests sensitive information.

• MiTB allows hackers to add extra fields to the web page such as PIN number or other sensitive fields.
• Users assume that they are entering details on a legitimate site, but fall victim to credential theft by this trojan.
• The malware also boasts of keylogging capabilities that can compromise password and authentication systems.
• In certain attacks, infected systems were observed to be turned to bots in a botnet.
• A ransomware called Reveton was also used in certain attacks, impersonating an FBI imposed lockdown and demanding for a ransom amount.

Attacks in the spotlight

Citadel and its variants are said to have infected millions of computers and cause a massive amount of financial losses.

January 2014: It was reported that the infamous Target breach of 2013 involved the Citadel trojan. A Target contractor fell victim to a phishing attack that installed the malware.

February 2013: NBC’s website was hacked and redirected visitors to the Citadel banking Trojan. The site was said to host an iframe that led visitors to sites hosted by the RedKit Exploit Kit which served the malware.

September 2014: Researchers discovered a variant of the Citadel trojan used in attacks against several petrochemical companies in the middle east. This was probably the first time Citadel was used in attacks against nonfinancial entities in targeted attacks.

April 2016: A new malware strain called Atmos, a Citadel variant, was discovered. Researchers observed that it had the same motives as the Citadel trojan.

Citadel’s developers sent to prison

Dimitry Belorossov, who also goes by Rainerfox, was sentenced to a prison term of four years, six months for distributing and installing the Citadel trojan.

Mark Vartanyan, who was accused of developing and maintaining the Citadel trojan was given a five-year prison sentence.