Researchers have discovered that the new kit, dubbed the v1.3.5.1 "Rain Edition,” comes loaded with “extras” designed to better promulgate malware and steal financial information via botnets. It’s the offspring of Zeus, the widespread banking trojan, but is much more powerful than its paternal counterpart.
For instance, a new user interface is tailored to help even novice hackers get into the game. And, it comes with customer service.
"The injection sellers could create and save their work, get paid by the piece, and work with multiple botmasters – FaaS [Fraud as a service] at its best!", said Limor Kessem, a researcher at RSA, in a blog post.
It also includes a function called "dynamic config," which lets botmasters create web injection attacks and handpick which bots to send them to.
"Today’s fraud happens in real time, so speed is of the essence. This nifty function allows Trojan operators to create web injections and use them on the fly, pushing them to selected bots without the hassle of pushing/downloading an entire new configuration file," explained Kessem.
Of course, it’s not simple to get one’s hands on Citadel. It will set a hacker back $3,931 for a basic version, for one thing (customer service doesn’t come cheap, apparently, even in the hacking world). And, it’s only available right now in select Russian underground forums, so would-be cyber-thieves need to bone up on their Rosetta Stone in order to locate Citadel hosts, which usually go by the handle “Bulletproof.”
“Those hosting firms are for the most part located in countries like China or Russia and therefore in their own jurisdiction where so long as you don’t commit crimes against your own people, not a whole lot can happen to you,” explained Jerome Segura, a senior security researcher at Malwarebytes. “To cover their tracks even more, the bad guys use proxy or VPN services that disguise their own IP address.”
Citadel works like this: Once set up with a server, hackers install what will be the mastermind program to create and organize an entire array (botnet) of infected computers worldwide. The malware is built to avoid anti-virus detection and is tested with online virus scanners.
“Infected PCs all report to the mothership and wait for orders,” said Segura. “This is where it gets interesting because making malware is one thing, but actually managing your own campaigns is the key to success. The Citadel control panel is well designed and puts a lot of features at your fingertips.”
The control panel offers an overview of the machines that have been infected, and offers advanced search features to specifically look for financial institutions. Then, information is stolen through keystroke logging, screenshot capture and video capture.
“A powerful feature used to trick users into revealing confidential information is dubbed WebInject,” Segura added. “[It] creates a fake pop-up that asks the victim for personal information within the context of logging into a site. The bad guys can trigger it in two ways: either automatically when a site of interest is opened by the victim, or manually on the fly.”
It is the ultimate phishing tool because it does not go against any known proper precautions a user would normally take. For instance, the site’s URL is unchanged and shows the secure pad lock with the financial institution’s SSL certificate – a classic man-in-the-middle attack.
It also can trigger ransomware schemes like the one recently flagged by the FBI, where a pop-up alerts users that they have been flagged by law enforcement and must pay a fine.
Make no mistake, the kit is professional-grade. “Fit for crime king(-pins), it was built over the old Zeus’ (v2) source code, exceeding its predecessor by far and breathing new air into Trojan-facilitated cybercrime,” said Kessem. “Possessing many of Zeus’ best features and mechanisms, Citadel is continuously renovated by its developers, adding new and innovative modules designed for enhanced control over infected bots and clever victim impersonation schemes.”