Citadel Developers Restrict Malware's Availability on Underground Markets

A spokesperson for the minds behind the Citadel Trojan said recently on an underground forum that the malware would no longer be publicly available, according to RSA.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

The cyber-criminals behind the Citadel Trojan may be pulling the malware off the cyber-world€™s public black markets, security researchers said.

According to RSA€™s FraudAction Research Labs, a spokesperson for the creators of the Citadel Trojan declared on an underground forum after the recent release of the Trojan€™s latest version (v1.3.4.5) that the software would no longer be publicly available and only existing customers would be able to receive upgrades.

Others who wish to purchase a new kit would have to get an existing customer to vouch for them. It remains to be seen if the developers will actually pull it off digital shelves, a spokesperson for EMC€™s RSA security division told eWEEK July 2.

€œWhile this could be a marketing stunt designed to create urgency and generate more sales, Citadel€™s developers could also be seeing the need to slow down sales,€ according to RSA. €œBy selling less, they can keep the Trojan from being all too widely spread, which will invariably lead to more sampling and research and cause them the need to rework its evasion mechanisms. Additionally, more customers also means more support, more underground buzz, and eventually€”as with Zeus, SpyEye, and Carberp€”more cyber-crime arrests linked with using Citadel.€

Citadel is built on the source code of the notorious Zeus Trojan typically linked to the theft of banking credentials and fraud. In May, the Internet Crime Complaint Center (IC3), a multi-agency task force consisting of the FBI, the National White Collar Crime Center (NW3C) and the Bureau of Justice Assistance, warned that the Citadel platform was being used to deliver ransomware known as Reveton.

Today, Citadel is the most advanced crimeware tool money can buy, RSA said. Sold for $2,500, attackers can also purchase plug-ins for an average of $1,000 each.

€œComparable Trojans, like Sinowal, are all privately owned, but Citadel is taking the open market by storm and is continuing to evolve in sophistication,€ RSA noted. €œSince its release, Citadel has seen four major upgrades (including v1.3.4.5) that addressed €œcustomer€ concerns and fixed a long list of bugs originating in Zeus v2€™s faulty mechanisms.

An excellent example of a successful deployment of a fraud as a service (FaaS) model, Citadel is the first ever crimeware to have its own dedicated CRM where its shady clientele can congregate, raise issues, get support and request new modules be implemented.€

The Citadel CRM is pushed as a mandatory part of using the Trojan, and a monthly fee is required for the membership. Those who do not pay are banned from receiving future updates.

€œLooking to the surrounding cyber-crime arena, history proves that malware coders know when to leave the room,€ RSA said. €œTo date, developers of popular Trojans like Zeus€™ Slavik, SpyEye€™s Gribodemon and Ice IX€™s GSS have never been arrested, and we are seeing the Citadel€™s team already taking measures to go deeper underground for their own safety.€