New functionality in the Citadel Trojan is specifically targeting password managers.
According to research by Dana Tamir, director of enterprise security at Trusteer, an IBM Company, said that while Citadel is not new, it is massively distributed and has compromised millions of computers worldwide.
She said: “IBM Trusteer research found that an average of 1 in 500 machines worldwide is infected with massively distributed APT malware at any point in time. Massively distributed malware has been discovered by IBM Trusteer’s Service team in practically every customer environment in which they’ve worked.
“Since millions of machines are already infected with Citadel, it is easy for attackers to take advantage of this malware in new cyber schemes. All attackers need to do is provide a new configuration file to the millions of existing instances and wait for infected machines to access the targets.”
This new version of Citadel is used to compromise password management and authentication solutions by instructing the malware to start keylogging (capturing user keystrokes) when some processes are running.
In particular it targets Personal.exe, a process which belongs to the “neXus Personal Security Client” authentication solution, which enables users to conduct secure financial transactions, e-commerce and other security-dependent services directly from the desktop; PWsafe.exe, which belongs to “Password Safe”, a free, open-source password management solution that allows you to create an encrypted user/password list; and KeePass.exe, another free, open-source, secure password manager which contains a random password generator.
Trusteer’s analysis of the configuration file showed that attackers were using a legitimate web server as the C&C. “By the time the IBM Trusteer research lab received the configuration file, the C&C files were already removed from the server, so researchers were not able to identify who is behind this configuration,” Tamir said.
“Because the configuration file instructs the malware to capture keystrokes related to widely used password management and authentication solutions, we can’t know who, exactly, is the target of the attack. It might be an opportunistic attack, where the attackers are trying to see which type of information they can expose through this configuration, or a more targeted attack in which the attackers know that the target is using these specific solutions.”
Philip Lieberman, president of Lieberman Software, said that the vulnerabilities in the various personal password managers have been known to the security community for quite a while, so he was surprised that it took so long for the targets to be exploited.
He said: “The obvious remediation of the vulnerability is the inclusion of multi-factor authentication to limit the time these vaults are vulnerable.
“The other solution is to use an enterprise grade password manager that uses central storage, automatic password rotation after use, and multi-factor authentication. Vulnerability is sometimes the price we pay for convenience. The next generation of PCs with hardware encryption/authentication may negate this vulnerability and exploitation strategy.”
