The Citadel banking Trojan is making a comeback, with a new variant dubbed Atmos. The new strain is currently targeting banks in France and it was also spotted being delivered with ransomware.
The latest Control & Command servers for Atmos are located in Vietnam, Canada, Ukraine, Russia, the US and Turkey, and, there are almost 1,000 bots already recruited in the network, according to Heimdal Security. That number is likely to increase as the larger the botnet, the larger its targets can be.
In an interesting development, Atmos was observed being delivered with TeslaCrypt, whose latest variant (TeslaCrypt 4) features unbreakable encryption and enhanced data-stealing capabilities.
“Banking Trojans haven’t been as active as ransomware strains in the past half a year, but there’s nothing stopping them from making a comeback,” noted Andra Zaharia, a security researcher at Heimdal Security, in a blog. “And this is especially the case since users and companies tend to expose themselves to cyber-attacks for lack of adequate patching.
Citadel emerged in 2011 after the source code for the Zeus banking Trojan was leaked online. It went on to become one of the most successful pieces of malware of all time, capable of stealing money, but also personal data.
The FBI recently sentenced its creator, Dimitry Belorossov, a/k/a Rainerfox, to four years, six months in prison following his guilty plea for conspiring to commit computer fraud. Belorossov had infected 11 million computers worldwide, operating the botnet primarily from Russia. Belorossov remotely controlled over 7,000 victim bots, including at least one infected computer system with an IP address resolving to the Northern District of Georgia. Belorossov’s Citadel botnet contained personal information from the infected victim computers, including online banking credentials for US-based financial institutions with federally insured deposits, credit card information, and other personally identifying information.
The botnet also gave Belorossov the power to execute additional code on the enslaved computers, everything from scareware to ransomware.
The Microsoft Digital Crimes Unit and the FBI were eventually able to disrupt the botnet. But now Atmos has appeared—Citadel’s polymorphic successor.
“So far, only a few strains of Atmos have been detected, and what they have in common is attacks targeting banks in France,” said Zaharia. “Because it’s based on Citadel, which, in turn, evolved from ZeuS, Atmos utilizes the same web injects that ZeuS became infamous for. Consequently, we can infer that this new financial malware strain is after the same objectives: money and confidential data.”
Photo © John T Takai