Using malware to control a malware-infected device is nothing new. In fact, in our article about malware trends in 2014, Trusteer, an IBM Company, Chief Technology Officer Amit Klein specifically points out that malware will again use old-school techniques to overcome security solutions. One of these tools is the ability to remotely take over a device and use it to commit fraud.

Most advanced types of malware have this ability today, including SpyEye’s use of Remote Desktop Protocol (RDP) and Zeus’ and Citadel’s use of Virtual Network Connection (VNC). The security team at Trusteer, an IBM company, has just discovered a Citadel variant that takes this approach a step further, providing enhanced survivability for the attack as well as expanding this malware’s capabilities to perpetrate targeted attacks on enterprises.

The Rise of Remote Control

The use of RDP and VNC protocols to take over devices is widely used by information technology support teams. When users have issues, they can call technical support, and a support engineer can take over the device to solve the problem. Malware authors have added this functionality to their malware to allow the attacker to take over a victim’s device. Attackers who target high-net-worth accounts cannot rely on automated scripts for their attacks since an attack attempting to steal a six- or seven-digit amount has to be carefully and manually conducted.

View on-demand webinar: Cybercriminals Never Sleep

This manual process does have benefits, though. First, this evades some security solutions that specifically search for behavior associated with automatic scripts. Second, it allows the attacker to take over an authenticated session and use HTML injection to ask the victim for additional information (such as one-time passwords) in real time. Third, it allows the attacker to circumvent device ID security systems as the attack is coming from the legitimate user’s device, not from the attacker’s device.

Citadel, a malware based on Zeus, has offered VNC capabilities since its first version. Additionally, Citadel offers the attacker the ability to run Windows shell commands. These commands are handy if the attacker wants to get a clearer picture of the network in which the infected PC resides, scan it and prepare the grounds for something more than just fraud. This type of network mapping is one of the first steps attackers take in targeted enterprise attacks. They gather intelligence, get a clear picture of the target and then strike. This capability was highlighted when Citadel was introduced to the fraudster underground. Citadel’s advertisement stated, “AutoCMD (This is a good feature to have when analyzing a company’s internal structure).” But Citadel is faced with a problem: If the malware is detected and removed by the victim, the VNC capabilities are lost with it. A recent variant analyzed by Trusteer’s security team demonstrated how attackers, who are likely using Citadel to target enterprises, have found a solution to this problem.

How It Works

The new variant uses a simple yet effective trick. After the device is infected, the ability to run Windows shell commands is used for more than just reconnaissance. The variant also executes the following commands:

  1. net user coresystem Lol117755C /add
  2. net localgroup Administrators coresystem /add
  3. net localgroup ‘Remote Desktop Users’ coresystem /add
  4. net accounts /maxpwage:unlimited

These commands do the following:

  1. Add a new Windows local user (username: “coresystem,” password: “Lol117755C”)
  2. Add the new user to the local administrator group
  3. Add the new user to the local RDP group
  4. Set the password to never expire

Why Hackers Use Citadel

Now, even if the Citadel malware is detected and removed, the attacker still has access to the infected machine through the native Windows RDP capabilities. The attacker has set up a backup back door into the infected device. Attackers benefit in the following ways when utilizing such a trick, especially when they are preparing for a persistent, long-term attack against an enterprise:

  • Persistency: Even if Citadel (and its VNC module) are lost, the attacker can still use RDP to access the device.
  • The illusion of safety: A user who was vigilant enough to detect and remove Citadel will now feel safe to use his or her device, thinking it is clean.
  • Flying under the radar: While malware modules (such as VNC) and communications may be more vulnerable to interception and analysis by security software, using the Windows-native RDP capabilities may fly under the radar as some companies actually use this exact same protocol for technical support.

Citadel operators are clearly investing in their attack’s survivability as well as using the malware’s features to target companies, and not even for its original target: financial fraud. Trusteer Rapport (for bank users) and Trusteer Apex (for enterprise users) can detect and prevent Citadel’s infection and its ability to operate with multiple layers of defense that block the threat along with the attack kill chain, preventing the malware from ever infecting the targeted device and running the Windows shell commands. Trusteer’s security team is constantly on the lookout for new and emerging threats and techniques.

More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…