14 DAY TRIAL // Operators behind Citadel Trojan have started to deliver new instructions to the malware to steal the passwords for password managers, applications used for storing credentials to different online accounts.
The new configuration file requests the threat to initiate the keylogging functionality when certain processes are running. These are personal.exe, pwsafe.exe, and keypass.exe.
Threat can sit on the computer and wait for an instruction set
Security researchers at Trusteer, IBM’s security division, discovered the new behavior recently, on a machine protected by its solution. The experts do not know if the system belongs to a consumer or whether it is part of the network of an enterprise, as the sample was collected anonymously from the affected machine.
From the information they received, the computer was already infected, but there are no details on how the compromise was achieved.
Citadel “can stay idle on a user’s machine for weeks, months and even years until it is triggered by a user action. This means that many users and organizations do not know that their machines are already infected, and the existing infection can be quickly turned against them,” Dana Tamir, director of enterprise security at Trusteer says in a blog post.
As such, the malware can be leveraged by its operators at any time by sending it new instructions through the command and control (C&C) server.
The processes monitored by the threat belong to neXus Personal Security Client, PasswordSafe and KeyPass; the first one is a program that authenticates users securely, based on smart-cards, for safely carrying out financial operations with different applications.
The last two are password managers that create an encrypted database containing credentials for whatever accounts the user needs. By capturing the master password for the database, the cybercriminals basically have access to the entire log-in data they protect.
Info on the attackers has not been uncovered
Many password managers include capabilities beyond safe storage of username and password pairs, and also include features for saving various pieces of information, such as card data, answers to security questions, as well as other details required for logging into a service or changing its configuration.
Trusteer did not manage to gain knowledge relating to the individuals behind the incident because, at the time they received the configuration file for analysis, the data on the C&C server had been removed. What they know is that the attackers used a legitimate web server as the command and control server.
The company notes that it tried to contact the developers of the targeted products so that they can warn users about the current risk and offer them recommendations that would mitigate the danger.
