Security Experts:

Citadel Malware Used in Attacks Aimed at Petrochemical Firms

Middle Eastern petrochemical organizations have been targeted in cyberattacks leveraging the notorious Citadel Trojan, researchers at IBM-owned Trusteer reported on Monday.

Citadel is a variation of the Zeus malware which emerged after the source code for Zeus was leaked online back in 2011. The Trojan has been utilized by cybercriminals to steal sensitive information, particularly financial data. In a report published in March, Dell SecureWorks reported that Citadel was the second most prevalent banking botnet, representing 33% of the company's detections.

In June 2012, Citadel was removed from a major commercial underground marketplace after its author was banned. Many experts predicted at the time that the incident may lead to the Trojan's downfall. Furthermore, in June 2013, Microsoft announced the disruption of more than 1,000 botnets leveraging Citadel. However, it's clear that many cybercriminals continue to use the threat as a component in their attacks.

Trusteer researchers say the goal of the advanced persistent threat (APT)-style attacks against Middle Eastern organizations in the petrochemical sector appears to be gaining access to corporate data, intellectual property and secured corporate resources. Some of the most interesting targets of the campaign are one of the largest sellers of petrochemical products in the Middle East, and a regional supplier of raw petrochemical materials.

By analyzing the configuration file used by the malware in these attacks, researchers have determined that Citadel is used to identified URL addresses for webmail and other systems within the targeted company. When one of these URLs is accessed by the victim, the Trojan harvests the information submitted to the webpage.

"This is known as form grabbing, or 'HTTP POST' grabbing. When the user submits information into the system, the Web browser generates an HTTP POST request that sends the data entered to the site. The malware then intercepts the POST data before it is encrypted and sent to the server," Dana Tamir, director of Enterprise Security at Trusteer, explained in a blog post.

In the case of a webmail system, the malware can harvest usernames, passwords and other information provided during the login process, and send it back to the attackers, who can use the credentials to access corporate email accounts.

In a report published in January 2013, McAfee revealed seeing targeted attacks leveraging Citadel on public and private enterprises primarily located in Europe.

"Although the trend of using such malware for APT-style attacks has been seen for a few years now, many are still not aware of it. APTs are still referred to as highly targeted attacks that utilize custom tools specifically designed to target an organization or a group of organizations," Tamir said.

"The use of massively distributed malware means that attackers don’t need to spear-phish targets or design custom malware. Instead, they use mass distribution techniques to infect as many PCs as possible. These malware distribution campaigns can use malicious email attachments, drive-by downloads, watering hole attacks and social engineering schemes to infect millions of PCs around the world."

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.