14 DAY TRIAL // A new version of the Citadel Trojan, which is based on the infamous Zeus banking malware, has been discovered by security researchers to allow access to the affected systems even after it has been detected and eliminated.
The feat is pulled via the remote desktop capabilities available in Windows operating system.
In a recent blog post, security researchers from IBM have analyzed a sample of the new Citadel strain that appears to be used for specifically targeting enterprise environments.
Although Citadel has included remote desktop capabilities since its first release via the built-in VNC module, when it was removed from the affected system it would no longer have access to it. However, the most advanced types of malicious software today have built-in remote control capabilities.
Once it infects a machine, the latest version of the malware offers operators the possibility to execute commands via the Windows shell to add a new local user with a specific name and a password that is set never to expire.
Next, they add it to the local administrator group and then to the local RDP (Remote Desktop Protocol) group. This way, they gain remote access to the system.
The attackers provide their own name and password for the user. In the sample analyzed by the IBM researchers, the name was “coresystem” and the password was “Lol117755C.”
Since threat actors can access the computer system remotely through a service that is not connected to the malware, even if Citadel is detected and removed, their presence on the system remains unaffected, allowing them to initiate future attacks.
IMB security researcher Etay Maor believes that the current variant has been designed to target companies. Under this scenario, the new Citadel offers attackers multiple advantages, one of them being the fact that intercepting a rogue RDP connection is more difficult to achieve, especially since many companies use the protocol for technical support.
Moreover, he says that the illusion of safety after administrators find the malware on the systems is also contributing to the persistency of the attack. “A user who was vigilant enough to detect and remove Citadel will now feel safe to use his or her device, thinking it is clean,” he writes.
If this strain switched its financial fraud purpose and it is aimed at corporate environments, it shows that threat actors have no problem using code that has been involved in numerous cybercrime incidents and adapt it to fresh needs.