Attackers Add Ransomware to Bank Fraud Malware: Security Researchers

A notorious malware platform targeting financial information has added a new trick to its portfolio€”a digital version of hijack and ransom.

According to security firm Trusteer, the Citadel malware platform is delivering ransomware that hijacks victims’ computers. Ransomware works by restricting access to infected computer systems so that the attackers can extort payment in exchange for restoring access.

In this case, the ransomware, known as Reveton, locks the compromised computer down and displays a message demanding $100 to unfreeze it. The demand poses as a message from the U.S. Department of Justice and claims the computer’s operating system has been locked due to the presence of child pornography.

“This is another example of financial malware expanding beyond online banking fraud and being used as a launch pad for other types of cyber-attacks,” blogged Trusteer CTO Amit Klein. “Citadel is able to target employees to steal enterprise credentials, and in this example, targets victims directly to steal money from them, instead of their financial institution.”

Ransomware is hardly a new threat. However, this situation is another example of what some security researchers say is a recent uptick in ransomware activity. Jeff Wilhelm, senior analyst with Symantec Security Response, speculated that the upsurge may be due to some experimentation by attackers, who typically go where money is made the easiest.

“Ransomware is a pretty popular cyber-criminal tactic, though it still takes a backseat to such crimeware threats such as the Trojan.Zbot [Zeus],” he noted.

In April, researchers at Trend Micro reported on a piece ransomware that took the additional step of targeting the master boot record (MBR) to take control of a system.

“Last February, certain attackers compromised the Website of the French confectionery shop Ladurée to spread [ransomware],” Trend Micro Threat Response Engineer Cris Pantanilla blogged at the time. “Users who visited the said site when it was compromised ended up with systems infected with TROJ_RANSOM.BOV. This variant was found to display a notification that impersonates the French National Gendarmerie and demands payment from affected users. The people behind this attack have also impersonated police notifications from Italy, Germany, Belgium and Spain.”

“Though overshadowed by other more newsworthy threats, ransomware attacks are definitely not out of the picture,” he added.

In the case of the attack reported by Trusteer, victims are being lured to a drive-by download site and hit with a dropper that installs the Citadel malware. Citadel then retrieves the ransomware DLL from its command-and-control server, Klein explained.

“In order to unlock their computer, the victim is instructed to pay a $100 fine to the U.S. Department of Justice using prepaid money card services,” he wrote. “The payment service options presented to the victim are based on the geographic location of their IP address. For example, users with U.S. IP addresses must pay using MoneyPak or Paysafecard.”

Citadel also continues to operate on the compromised machine on its own, independent of the Reveton ransomware. A descendant of the Zeus Trojan, Citadel can be used by fraudsters to commit online banking and credit card fraud through man-in-the-browser, keylogging and other tactics, Klein noted.

“It is clear from this and similar attacks we have discovered recently that financial malware has achieved a technological level of sophistication which enables it to be used to carry out virtually any type of cyber-attack,” he wrote. “Through a combination of social engineering, data capturing and communication tampering, these attacks are being used by criminals to target applications, systems and networks belonging to financial institutions, enterprises, and government agencies in order to commit fraud or steal sensitive information.”