Citadel Crime Malware To Disappear From Open Market

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved,

The developers of the Citadel Trojan have said they are planning to restrict its availability, according to RSA

The cyber-criminals behind the Citadel Trojan may be pulling the malware off the cyber-world’s public black markets, security researchers said.

A spokesperson for the creators of the Citadel Trojan declared on an underground forum that after the recent release of the Trojan’s latest version (v1.3.4.5) the software would no longer be publicly available and only existing customers would be able to receive upgrades, according to RSA’s FraudAction Research Labs.

‘Creating urgency’

Others who wish to purchase a new kit would have to get an existing customer to vouch for them. It remains to be seen if the developers will actually pull it off digital shelves, a spokesperson for EMC’s RSA security division told eWEEK on 2 July.

“While this could be a marketing stunt designed to create urgency and generate more sales, Citadel’s developers could also be seeing the need to slow down sales,” according to RSA. “By selling less, they can keep the Trojan from being all too widely spread, which will invariably lead to more sampling and research and cause them the need to rework its evasion mechanisms. Additionally, more customers also means more support, more underground buzz, and eventually – as with Zeus, SpyEye, and Carberp – more cyber-crime arrests linked with using Citadel.”

Citadel is built on the source code of the notorious Zeus Trojan typically linked to the theft of banking credentials and fraud. In May, the Internet Crime Complaint Centre (IC3), a multi-agency task force consisting of the FBI, the National White Collar Crime Centre (NW3C) and the Bureau of Justice Assistance, warned that the Citadel platform was being used to deliver ransomware known as Reveton.

Today, Citadel is the most advanced crimeware tool money can buy, RSA said. Sold for $2,500 (£1,590), attackers can also purchase plug-ins for an average of $1,000 each.

Market success

“Comparable Trojans, like Sinowal, are all privately owned, but Citadel is taking the open market by storm and is continuing to evolve in sophistication,” RSA noted. “Since its release, Citadel has seen four major upgrades (including v1.3.4.5) that addressed “customer” concerns and fixed a long list of bugs originating in Zeus v2’s faulty mechanisms.

An excellent example of a successful deployment of a fraud as a service (FaaS) model, Citadel is the first ever crimeware to have its own dedicated CRM where its shady clientele can congregate, raise issues, get support and request new modules be implemented.”

The Citadel CRM is pushed as a mandatory part of using the Trojan, and a monthly fee is required for the membership. Those who do not pay are banned from receiving future updates.

“Looking to the surrounding cyber-crime arena, history proves that malware coders know when to leave the room,” RSA said. “To date, developers of popular Trojans like Zeus’ Slavik, SpyEye’s Gribodemon and Ice IX’s GSS have never been arrested, and we are seeing the Citadel’s team already taking measures to go deeper underground for their own safety.”

Are you a Skype champion? Take our quiz.