IBM Trusteer researchers recently identified targeted cyberattacks on several Middle Eastern petrochemical companies in which attackers use a variant of the evasive Citadel malware. Citadel was originally created for the purpose of stealing money from financial institutions and has been massively distributed on users’ PCs around the world.
While the use of advanced malware originally built for financial theft as a generic advanced persistent threat (APT) tool is not new, this is the first time we’ve seen Citadel used to target nonfinancial organizations in a targeted/APT-style attack, with the goal of potentially accessing corporate data, stealing intellectual property or gaining access to secured corporate resources such as mail systems or remote access sites.
The attack’s targets include one of the largest sellers of petrochemical products in the Middle East and a regional supplier of raw petrochemical materials. We have worked to responsibly disclose this information to appropriate parties.
Citadel Malware Is Sophisticated, Evasive
The Citadel malware was first discovered in 2012. At the time, it was a man-in-the-browser malware designed to steal banking credentials using webinjects. Since then, malware developers have significantly extended its functionality, and today, it offers a wide range of powerful functions to steal information and remotely manage infected computers. The malware operates according to instructions provided in a configuration file. Once Citadel is installed on a machine, it fetches a configuration file from one of its command-and-control servers. The configuration file instructs Citadel on which websites and applications to target, which information to steal and how to steal it.
Exclusive: Hackers have repurposed Citadel financial malware to hack Middle Eastern petrochemical plants. http://t.co/R4Wd6SoGCc
— Nicole Perlroth (@nicoleperlroth) September 16, 2014
According to an analysis of the configuration file used in this attack, the Citadel malware was instructed to look for user access to certain URL addresses of internet-connected systems, such as webmail, in the targeted companies. Once the browser accesses such a URL, the malware is instructed to grab all the information submitted by the user — his is known as form grabbing, or “HTTP POST” grabbing. When the user submits information into the system, the web browser generates an HTTP POST request that sends the data entered to the site. The malware then intercepts the POST data before it is encrypted and sent to the server.
Below is the relevant section from the configuration file (shown in a Trusteer proprietary format), with the names of the targeted companies redacted:
To steal login credentials that provide access to the company’s webmail system, the malware looks for URLs like “http://mail.target-company.com,” which would be the login URL of the webmail system. When the user submits the login credentials, the malware grabs the username, password and any other information submitted during the login process. The information is sent to the cybercriminal, who can then log in on behalf of a trusted user, access corporate emails, send malicious emails and more.
Massively Distributed APT Malware
This is not the first time massively distributed malware originally designed for financial fraud has been used to target nonfinancial organizations in an APT-style attack. In fact, we wrote an article on this back in 2010. Citadel is one of many dozens of malware families that were initially created to steal money from financial targets such as banks. These include the infamous Zeus, SpyEye and Shylock families. Over time, malware developers extended the capabilities of these malware families and added advanced evasion techniques to turn them into sophisticated APT tools that can target any organization.
The typical functions available with these malware families include:
- Keylogging: Recording user keystrokes and sending them to the attacker.
- Screenshot capturing: Recording the browser session, including all the information displayed to the user.
- Video capturing: Recording a video stream of a browser session, including all the information displayed to the user.
- Form grabbing (HTTP POST grabbing): A method used to acquire user input from a web data form before it is sent to the user. HTTP POST grabbing has multiple advantages compared to other information stealing methods such as keylogging and screenshot capturing. Capturing the data in the form just before it is sent to the server enables the attacker to capture the real, complete data the user entered, even if the user entered it using a virtual keyboard or copied and pasted it into the browser.
- HTML injection: A method used to inject HTML content into a legitimate web page in order to modify it and steal information from the user. It is often used to display fake security warnings and customized text requesting additional information during login, account navigation and financial transactions.
- Remote execution of command line instructions: Enables the operator to collect data and change settings on one or more remote computers.
- Remote control of the infected machine: Allows complete control over the PC and full access to the corporate network. It is typically done via a graphical, desktop-sharing system that is used to remotely control another computer, such as virtual network computing tools.
- Advanced evasion techniques: Designed to evade antivirus and other traditional security controls.
- Anti-research techniques: A variety of sophisticated features designed to thwart malware researchers from analyzing the malware and understanding its internal operations or attack methods.
Although the trend of using such malware for APT-style attacks has been observed for several years now, many are still not aware of it; APTs are still regarded as highly targeted attacks that utilize custom tools specifically designed to target a single organization or group of organizations.
The use of massively distributed malware means attackers don’t need to spear-phish targets or design custom malware. Instead, they use mass distribution techniques to infect as many PCs as possible. These malware distribution campaigns can use malicious email attachments, drive-by downloads, watering hole attacks and social engineering schemes to infect millions of PCs around the world.
IBM Trusteer research found that an average of 1 in 500 machines worldwide is infected with massively distributed APT malware at any point in time. IBM Trusteer’s Service team reports they have discovered such malware in practically every customer environment in which they’ve worked.
The graphs below, based on IBM Trusteer research, show a heat map of massively distributed APT malware infection rates by country:
Protecting Against Massively Distributed APTs
IBM Trusteer Endpoint Protection solutions are designed to provide extensive protection against massively distributed APT malware families, including Citadel, Zeus, SpyEye and Shylock. These solutions can detect, mitigate and remediate massively distributed APT malware infections. Moreover, they can stop future infections and prevent endpoint compromise by applying integrated, multilayered defenses that break the threat life cycle. Deploying such a solution can help enterprise organizations deal with massively distributed APT attacks and emerging threats.
IBM Trusteer threat research is based on dynamic intelligence feeding from more than 100 million protected endpoints and translated into security updates that are automatically sent to protected endpoints. Deployments of IBM Trusteer Endpoint Protection solutions are backed by Trusteer’s security services, which can help enterprise organizations deal with massively distributed APT attacks and emerging threats.