Password Stealer: Citadel Banking Malware Targets Popular Password Managers

The criminals behind the Citadel malware, a massive botnet of infected machines behind a variety of attack campaigns, have added a mechanism designed to capture keystrokes to gain access to password management software.

The company identified PC processes associated with authentication and password management software that trigger the malware to execute and capture keystrokes on infected machines. According to IBM-Trusteer, Citadel targeted the neXus Personal Security Client, which is used to conduct secure financial transactions. Two free, open-source password managers, Password Safe and KeePass, were targeted as well, enabling the malware to capture the master password to the program and unlock and access the victim's password database.

"It might be an opportunistic attack, where the attackers are trying to see which type of information they can expose through this configuration, or a more targeted attack in which the attackers know that the target is using these specific solutions," said Dana Tamir, director of enterprise security at IBM-Trusteer, who wrote about the company's research Wednesday.

IBM said it reached out to the makers of the impacted programs targeted by Citadel. NeXus, headquartered in Sweden could not be reached for comment on Wednesday. KeePass users recommend entering the Master Key on the Windows Secure Desktop as an additional protection against malware designed to record keystrokes, according to a post at the KeePass user forum.

Sponsored post

[Related: Banking Malware: Sophistication Rises In Longtime Botnet Families]

Citadel has been a persistent problem for security researchers, antifraud experts at banks and other financial firms despite attempts to wipe it out. Microsoft took legal action last year, temporarily disrupting the Citadel botnet. Citadel is known for spreading the Zeus Trojan banking malware, responsible for bilking millions from the bank accounts of businesses and consumers.

The Microsoft action against Citadel was brought about with the assistance of the Financial Services Information Sharing and Analysis Center, the Electronic Payments Association and the American Bankers Association. Botnet analysis conducted by Dell Secureworks researchers ranks Citadel among the top three botnets in the world, producing about 30 percent of the banking Trojan activity globally. The authors behind the botnet created a crowdsourcing model, enabling users to propose new features to bypass security defenses or steal additional kinds of data.

Solution providers say financially motivated attacks are the most prevalent threat they have to deal with on endpoint machines in their clients' environments. When investigators took out the GameoverZeus botnet in June, attention was drawn to Haysite Plastics, a Pennsylvania manufacturer that had its bank account raided when several employees with access to it had their systems infected with the Zeus Trojan. Attackers seized on the opportunity, bilking the firms' coffers of more than $375,000 in a single day.

The attention paid to organized cybercrime has some businesses attempting to identify weaknesses and reduce their attack surface where they can, say solution providers. Organizations are turning to consultancies and regional service providers to assess their security postures, said Deborah Gannaway, a principal at St. Petersburg, Fla.-based solution provider DG Technology Consulting.

Solution providers are building out professional security services to meet the growing demand, Gannaway said in a recent interview. She added that not all solution providers will have the funding and wherewithal to build out a strong security practice.

"The opportunity is there if solution providers have the staff and the know-how to build out strong services," Gannaway said. "Security services can be a challenge because the skill gap can be huge."