The developers of the infamous Citadel Trojan have recently released the 188.8.131.52 version, dubbed Rain Edition. The new variant costs more than its predecessor – $3,391 (€2,630), up from $2,399 (€1,850) – but it also comes with some brand new features.
One of the most noteworthy new features is called “Dynamic Config.” It allows botmasters to interact faster with their victims via browser injection technology.
“This nifty function allows Trojan operators to create web injections and use them on the fly, pushing them to selected bots without the hassle of pushing/downloading an entire new configuration file,” RSA’s Limor Kessem explained
“Citadel-infected machines are going to have an instruction to reach out to the C&C every 2 minutes and update themselves with a predefined file where injection ‘packs’ will be ready to go. The whole system will be managed by a clever distribution mechanism dictating which injection(s) go to which bot or group of bots,” he added.
This new mechanisms makes Citadel a representative for the Fraud-as-a-Service (FaaS) model. That’s because botmasters are not forced to do the whole work by themselves.
Instead, they can hire up to 5 henchmen to help them out in creating injections. They all have their own section on the administrator panel, which gives them only limited access to the entire operation.
The advantage for the injection sellers in this case is that they can work with multiple botmasters.
To ensure that Citadel will not have the same fate as SpyEye, the malware’s developers are trying to keep their creations away from the hands of individuals who are “overly programming-savvy” and focusing on improving its interface to make it as easy as possible to use.
Furthermore, the creators reserve the right to refuse
to sell the Trojan to any buyer without having to give to many explanations.