Citadel : The Banking Trojan for Cyber Attacks on Banks

Citadel : The Banking Trojan wanna buy one ..

Citadel is a banking trojan based on the Zeus source code. A few months after the Zeus source code was leaked, a threat actor using the moniker "AquaBox" was observed on a Russian-language eCrime forum offering Citadel 1.1, a new derivative of Zeus malware. Citadel retained basic Zeus functionality but added modifications to improve the functionality and security of this banking trojan.

Citadel developed a community of customers and contributors around the globe that suggested new features and contributed code and modules as part of an ad hoc criminal social network. Capabilities included AES encryption of configuration files and communications with the C2 server, an ability to evade tracking sites, the capacity to block access to security sites on victims' systems, and the ability to record videos of victims' activities. The network of Citadel contributors continued adding innovative features to the trojan, making it more adaptive and faster, until the trojan became ubiquitous and criminals began using it for all types of credential theft.

The Citadel toolkit is made up of three parts: a builder, the actual trojan, and a C2 web panel. The builder allows the attacker to edit and compile the configuration file and to build the actual trojan that is delivered to victims' systems. The trojan modifies the compromised computers and steals information. The C2 server monitors and controls the trojan and stores all stolen data.

Citadel infects computers through many different methods. The attackers behind the Citadel trojan have made concerted efforts to spread Citadel using spam campaigns and drive-by download attacks using different exploit kits. Table-5 shows the statistics for the Citadel samples and configurations analyzed in 2013.

ATTRIBUTE	COUNT
C2 servers	905
Configuration files	2,296
Samples	21,716
Encryption keys	311
Versions	5
Targets	1,170 (unique); 137,000 (total)

Citadel samples and configuration files analyzed in 2013.

Architecture

Citadel's C2 design is simple. Each trojan is programmed to connect to one or more C2 servers. Attackers can dynamically update the C2 server options from a configuration file. Cybercriminals may rent individual servers to orchestrate their banking campaigns.

The Citadel trojan running on an infected system has two primary functions:

• Passive function: automatically executed on the infected system through application programming interface (API) hooking. The hooked code embedded in network and other APIs performs the following tasks:
• HTTP session redirection
• Web injections (MITB attack)
• FTP credential theft
• POP3 credential theft
• Flash files control
• Keystroke logging
• Screen capture
• Video recording of activities
• Active function: executed upon receipt of a command from the C2 server. Citadel supports the following commands, organized by category:
• OS — shutdown, reboot
• FS — search, download, upload
• Bot — install, uninstall, add, remove, httpinject enable/disable
• User — logoff, url_block, certs_get, homepage_set, execute, destroy
• DDoS — start, stop
• Module — execute enable/disable, download enable/disable
• Info — system info

Webinject module

Citadel introduced a new feature called "dynamic webinjection." This feature is implemented through an entry in the configuration file and a command issued to the bot from the C2 server. The new dynamic webinject feature is triggered by a command called "webinjects_update", which takes two arguments. A typical command uses the following syntax:

               webinjects_update dual "webinjects/new.js"

The first option can be "dual," "single," or "disabled," and the second option is a file path. "Dual" indicates that this webinject file should be used in conjunction with existing webinjects contained in the configuration file; "single" instructs the bot to use the listed webinject file instead of the data in the configuration file; and "disabled" turns web injection off. The second argument is the full path to the server file that contains the webinject code.

When the bot receives this command, it issues an HTTP POST request for the specified webinject file. The C2 server replies with the relevant file. The request and the reply are formatted and scrambled using the AES+RC4 encryption scheme.

Citadel has emerged as a popular choice in the underground economy for use in financial fraud. Its improved feature list suggests that the Citadel authors continue to innovate and improve the overall quality of their product by adding functionality that their competitors do not offer. Citadel has allowed attackers to expand their reach and target a larger variety of web browsers. It provides a platform for additional criminal revenue opportunities, such as installation of ransomware.

Improvements

The Citadel authors created a crowd sourced model for feature improvement by allowing customers and prospective users to propose features. Citadel has built upon the base capabilities of Zeus by introducing the following improvements:

• Google Chrome support — Citadel added support for hooking and monitoring Chrome activity.
• Revised cryptography — Citadel's encryption routine changed from standard RC4 to 128-bit AES. Citadel also modified the RC4 implementation slightly by adding an XOR operation with the original seed string. This custom RC4 implementation is also used to encrypt stolen data sent to the C2 server.
• Sandbox detection — Citadel can detect if it is running within a virtualized environment. If yes, Citadel alters its behaviour, generating a random "decoy" domain name and URL path for the C2 URL rather than connecting to its typical C2 server.
• Video capture — The video capture plugin is typically downloaded from the C2 server when the malware connects for the first time. The ability to capture video allows a threat actor to monitor portions of a victim's entire browsing session.
• Denial of service — Citadel included the capability for infected systems to participate in a distributed denial of service (DDoS) attack against a specified target. The botmaster initiates this command via the Citadel control panel.
• Automated command execution — Citadel improved Zeus's ability to execute an arbitrary command on an infected system by introducing a series of pre-defined commands.
• Aggressive DNS filtering — Citadel introduced a capability to alter the domain name resolution to prevent antivirus (AV) and security companies from resolving domain names, block AV software from receiving updates, and prevent victims from visiting AV or other security sites to download removal tools and obtain mitigation advice.

In May 2013, the Citadel 3.1 variant was first identified as introducing the ability to spread via external devices, such as USB, by taking advantage of the "autorun.inf" functionality. It also introduced a "port scan" command and added a new encryption layer for both communication and the configuration file. Compared to the last known Citadel version 1.3.5.1, the encryption scheme was modified slightly with an added XOR layer and a fixed constant value included in the binary and 32 random bytes.