Citadel Developers Restrict Malware's Availability on Underground Markets
The cyber-criminals behind the Citadel Trojan may be pulling the malware off the cyber-worlds public black markets, security researchers said.
According to RSAs FraudAction Research Labs, a spokesperson for the creators of the Citadel Trojan declared on an underground forum after the recent release of the Trojans latest version (v18.104.22.168) that the software would no longer be publicly available and only existing customers would be able to receive upgrades.
Others who wish to purchase a new kit would have to get an existing customer to vouch for them. It remains to be seen if the developers will actually pull it off digital shelves, a spokesperson for EMCs RSA security division told eWEEK July 2.
While this could be a marketing stunt designed to create urgency and generate more sales, Citadels developers could also be seeing the need to slow down sales, according to RSA. By selling less, they can keep the Trojan from being all too widely spread, which will invariably lead to more sampling and research and cause them the need to rework its evasion mechanisms. Additionally, more customers also means more support, more underground buzz, and eventuallyas with Zeus, SpyEye, and Carberpmore cyber-crime arrests linked with using Citadel.
Citadel is built on the source code of the notorious Zeus Trojan typically linked to the theft of banking credentials and fraud. In May, the Internet Crime Complaint Center (IC3), a multi-agency task force consisting of the FBI, the National White Collar Crime Center (NW3C) and the Bureau of Justice Assistance, warned that the Citadel platform was being used to deliver ransomware known as Reveton.
Today, Citadel is the most advanced crimeware tool money can buy, RSA said. Sold for $2,500, attackers can also purchase plug-ins for an average of $1,000 each.
Comparable Trojans, like Sinowal, are all privately owned, but Citadel is taking the open market by storm and is continuing to evolve in sophistication, RSA noted. Since its release, Citadel has seen four major upgrades (including v22.214.171.124) that addressed customer concerns and fixed a long list of bugs originating in Zeus v2s faulty mechanisms.
An excellent example of a successful deployment of a fraud as a service (FaaS) model, Citadel is the first ever crimeware to have its own dedicated CRM where its shady clientele can congregate, raise issues, get support and request new modules be implemented.
The Citadel CRM is pushed as a mandatory part of using the Trojan, and a monthly fee is required for the membership. Those who do not pay are banned from receiving future updates.
Looking to the surrounding cyber-crime arena, history proves that malware coders know when to leave the room, RSA said. To date, developers of popular Trojans like Zeus Slavik, SpyEyes Gribodemon and Ice IXs GSS have never been arrested, and we are seeing the Citadels team already taking measures to go deeper underground for their own safety.