IBM Uncovers Fresh Sample of Trojan Citadel
According to IBM, the notorious banker Trojan Citadel is presently utilizing tactics from remote desktop as an added feature for bypassing security software; published infosecurity-magazine.com, August 2, 2014.
Evidently, the new variant of the Trojan is employing traditional-school methodologies for undermining anti-malware solutions thus demonstrating the manner in which the attackers, who're possibly utilizing the variant for compromising businesses, are employing one uncomplicated though efficacious tactic for remaining persistent.
IBM cites IT support teams that utilize RDP (remote desktop) as well as VNC (virtual network connection) systems for getting hold of users' computers that have problems, to rectify those very devices. Citadel's developers have made their malware adapt this functionality so the attackers can gain control of a victim's computer. In instances where high-net-worth A/Cs are targeted, the attackers wouldn't be able to use automated scripts as an assault that tries to seize an amount of 6-7 digits requires being manually as well as carefully carried out.
Moreover, they give self-created name as well as password to their victim. Within the sample that IBM's security experts examined, the name and password were "coresystem" and "Lol117755C" respectively.
As attackers access the victim's PC from the remote via any website, which isn't associated with the malicious program, therefore, even when Citadel gets spotted as also eliminated, they continue to have access to that machine, letting them execute more assaults.
Telling further about the new Citadel variant, Etay Maor, Security Researcher at IBM stated that he was sure it had been created for striking enterprises. In that situation, the Citadel variant provided the cyber-criminals with several advantages among which one is that since many organizations utilized RDP connection to provide technical support, intercepting a fake one was harder to achieve, he explained. Softpedia.com reported this, August 4, 2014.
Now, the origination of Citadel is from ZeuS the well-known banker Trojan. However, Microsoft with help from FBI, during June 2013, conducted shutdowns which destroyed over 1,400 bot-networks built with Citadel. At the time, there was seizure of servers hosted in dual locations within USA, while in 2-months time, according to Microsoft, 88% of 'Citadel' network of bots had been dismantled.
» SPAMfighter News - 8/11/2014