Sophos researchers have analyzed this particular crimeware kit variant

Jan 29, 2013 13:11 GMT  ·  By

A new variant of the notorious Citadel crimeware kit has been spotted on the systems of Canadian financial institutions and a company that uses point of sale (POS) devices to process payments.

Experts from security firm Sophos say that the cybercriminals behind this particular variant are using different tactics than other Citadel masterminds.

While Citadel is usually configured to target as many organizations as possible in an effort to harvest large quantities of data, the attacks that target Canadian organizations show that these particular criminals might be sacrificing quantity for quality.

Once it infects a device, the malware starts making screenshots of browser windows (with focus on where the mouse is located) and starts collecting information entered into online forms.

“Citadel configuration files also contain a section named ‘Keylogger processes’ that details a list of processes from which key strokes will be logged,” explained James Wyke, senior threat researcher at SophosLabs UK.

“This means every time the victim types anything - usernames, passwords and card details are of particular interest - into one of those applications all the keystrokes will be sent back to the botnet owner.”

Based on the list of process names targeted by the Trojan, experts have determined that the cybercriminals are mostly after organizations that process payment card data. Financial software such as Sage and Quickbooks is also targeted.

When it targets Canadian bank customers, the Trojan injects a malicious code into the banks’ webpages, prompting victims to enter personal information that would not be required during a normal login, such as PIN, mother’s maiden name, and answers to security questions.

Since the botnet’s name is “test,” it might indicate that the cybercriminals are planning to further enhance the campaign.