The Citadel Banking Malware: Capabilities, Development History and Use in Cyber Crime ThreatScape Intelligence Cyber Crime Report November 5, 2013 Version: [1]
Key Points Citadel is based on the publicly available Zeus 2.0.8.9 source code, with the addition of video screen capture capabilities, numerous improvements to basic functionalities, additional modules and bug fixes. Citadel gained popularity in the underground economy after its initial appearance in late 2011, likely due to sustained development and dedicated online customer service. In October 2012, actor "AquaBox," the main actor specifically linked to the malware's development (although multiple other actors were involved behind the scenes), stated on the Citadel customer relations management (CRM) platform that the malware would no longer be sold to new clients and that the online forum was shutting down and moving to a more secure venue. The development effort behind Citadel included an actor named "AquaBox" and a number of other actors who all may have had ties to XX XXX This connection fits with the assessment that some (or all) of the developers behind Citadel had professional software development experience. While Citadel appears to be no longer maintained, the latest version (1.3.5.1) of its creation tools (also called a "builder") is publicly available, in part because former Citadel clients publicly shared the builder after having its user license protection circumvented. The Citadel builder's leaks will likely lead to continued widespread use of the malware, as at this point the malware has proliferated widely among underground communities in regions of the world that did not previously have access to Citadel. 2014 All rights reserved. isight Partners, Inc. 2
Overview The Citadel credential theft malware family is highly sophisticated and based on the publicly available 2.0.8.9 version of Zeus. Heavily used by Eastern European cyber crime actors, Citadel campaigns have targeted hundreds of different financial institutions. In late 2012, "AquaBox," the actor responsible for the public sales of Citadel, and the other developers ceased activity in major underground communities with little warning, seemingly abandoning the project and their customer base. Some evidence gathered since AquaBox closed the Citadel forums in October 2012 suggests that the development team behind Citadel has moved on to a new, unidentified project, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Before Citadel's client forum was closed, the user base primarily consisted of moderately sophisticated actors who had been vouched for by other members of the forum or the developers. These actors used Citadel primarily to target major financial institutions, and with the exception of some notable outliers, they concentrated on targets in the US, Europe and Australia. However, after the forums closed and the developers halted their dedicated technical support, Citadel's former clients began openly distributing an unlocked version of the malware's "builder" or botnet creation tool. Since confirming those leaks, at least one moderately sophisticated actor group began using the leaked Citadel builder to operate their own campaigns. isight Partners anticipates that as the Citadel builder continues to proliferate among underground communities, more actors will begin using such malware than would have been able to while it was under development control. 2014 All rights reserved. isight Partners, Inc. 3
Citadel Malware Capabilities As a variant of the Zeus credential theft malware, Citadel is primarily used to steal victims' banking and login credentials. Citadel was based on the publicly available Zeus v. 2.0.8.9 source code, and as such, Citadel captures sensitive information in largely the same manner as other Zeus variants. Once a victim's machine is infected, the malware monitors the computer's network activity and logs account credentials. When a victim navigates to a preconfigured list of websites, the malware captures login information entered into the site and sends it to a remote server. Citadel's unique capabilities, which are discussed below, are all in addition to those capabilities that Zeus had in its 2.0.8.9 version. Following is a basic enumeration of Zeus' core functions: HTML form grabbing and keystroke logging capability to intercept users' passwords. Webinjects: web form injection scripts that dynamically insert fraudulent fields into webpages, typically at login screens for financial institutions. Webinjects can also be used to alter displayed balances or transaction history. For a more complete assessment of Zeus's capabilities, please see isight Partners. "The Zeus Banking Trojan: Capabilities, Development History and Use in Cybercrime and Espionage," Intel-844872. July 1, 2013. Improvements and Additional Functions over Zeus 2.0.8.9 When Citadel was first released in late December 2012, the developers included a number of fixes for bugs in the original Zeus 2.0.8.9 source code. Throughout the development of Citadel, the developers consistently fixed bugs and made substantive improvements to their code, usually in response to customer requests via their online customer relations platform. isight Partners assesses that the responsiveness and efficacy of Citadel's development team were some of the main reasons for Citadel's popularity. 2014 All rights reserved. isight Partners, Inc. 4
Changes to Citadel from earlier versions of Zeus are as follows: Citadel added video recording capabilities using the VNC video capture client software. This feature improves the ability to collect additional information from specific victims. Citadel v. 1.1.0.0 added the ability to perform form grabbing and code injection in Google Chrome, in addition to Firefox and Internet Explorer, which were supported by Zeus 2.0.8.9. The Citadel development team expanded the application programming interface (API) capabilities of Citadel considerably. Citadel's API, and its inclusion and management by the development team, supports the hypothesis that at least some, if not all, of the developers had professional software development experience. Notable API integration examples include: - The creation of a mobile Citadel C&C app - The Citadel developers added an API for the Jabber support module - The video capture module was updated in version 1.3.3.0 to include an API function, allowing actors to stream HTML-encoded video from an infected computer directly to a mobile device - Citadel's Origin and Development Actor "AquaBox" first advertised Citadel in late December 2011 on an underground Russianlanguage forum. In the following six months, Citadel rapidly grew more sophisticated due to a series of swift updates and releases. Each new release improved both the malware's capability and stealth, and actors who had access to Citadel used it to great effect to steal credentials, often from banks outside the normal target range for credential thieves. Citadel v. 1.1 was released in December 2011. By February 2012, Citadel had received numerous updates and was versioned 1.2.4.0. By April 2012, AquaBox announced the release of Citadel v. 1.3.4.0. The forum where Citadel developers and customers collaborated to decide on improvements to the malware had at least 90 members, and this collaboration streamlined the feedback and process, resulting in updates that made the malware increasingly usable and effective. 2014 All rights reserved. isight Partners, Inc. 5
Timeline of Citadel's development, updates, releases and takedown (isight Partners) We estimate with moderate confidence that at least one, and possibly more, of the developers behind Citadel is associated with xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. If several of the development staff behind Citadel was at one time associated with X, it would explain much of the developers' apparent professional experience. The release of the API, the collaborative CRM forums, the unusually rapid pace of early development and the release of updates that Citadel users received early in the development stages of the kit all suggest that the developers of Citadel had significant professional experience as software developers (for more information on the likelihood of Citadel's developers being associated with professional software development, please see isight Partners. "Citadel Developers Likely Associated with XXX s, Indicating Talent and Resources Behind Malware," Intel-732352. Feb. 5, 2013). We assess with high confidence that sometime between October 2012 and March 2013, in a premeditated move to withdraw from Citadel, AquaBox and the other developers behind Citadel abandoned a majority of their customers and retracted their underground presence to the point that most of their former customers no longer knew how to contact the team. In addition to announcing v. 1.3.4.5, AquaBox went further in his June 2012 announcement to state that public sales of Citadel would cease and that future updates would only be released to existing customers. In October 2012, AquaBox announced on the Citadel customer forum that a new forum had been developed for use only by trusted clients. The original customer forum was closed soon after that announcement. A number of actors who were likely previous customers of Citadel have made statements on several underground forums indicating a belief that AquaBox had abandoned both his customer base and Citadel itself. Former Citadel customers do not appear to know how to contact the team. Beginning in late 2012, an increasing number of actors claimed to have a leaked version of the Citadel "builder," the creation tool used by the actors to create a new, modified copy of the malware customized for their use. By June 2013, a number of actors, who in some cases were probably former clients of AquaBox, were distributing cracked Citadel builders of both versions (1.3.4.5 and 1.3.5.1 [Rain]). 2014 All rights reserved. isight Partners, Inc. 6
Between January and May 2013, the number of actors selling Citadel builders increased across several regions. Actors sold both versions 1.3.5.1 and 1.3.4.5, with prices between $200 and $500 USD, a drastic decrease in price compared to the privately held prices. The basic kit originally sold for $2,399.00 USD (for information on actors outside of the Eastern European cyber crime community using Citadel, see isight Partners. "Latin American Group Likely Operating Campaign Using Leaked Versions of Citadel 1.3.5.1," Intel-963056. Oct. 15, 2013). In September 2013, we observed a Latin American group of actors who were probably operating a Citadel campaign. We estimate that those actors obtained a copy of the leaked Citadel builder, as the original developers had long since abandoned the project, and no other Latin American actors had ever been observed operating a Citadel campaign (for more information, see isight Partners. "Latin American Group Likely Operating Campaign Using Leaked Versions of Citadel 1.3.5.1," Intel-963056. Oct. 15, 2013). A June 2013 takedown operation, conducted jointly by Microsoft and the FBI, likely disrupted a large number of criminal operations using Citadel, but ultimately criminals use of Citadel has persisted. The confirmed leak of two different versions of the Citadel builder (v. 1.3.4.5 and 1.3.5.1) in the first half of 2013 has allowed the malware to proliferate to users who previously did not have access to it, and we suspect that many new actors in at least the past three months have begun using copies of the malware obtained freely from underground forums (for more information regarding our predictions of Citadel's proliferation following the leaks, please see isight Partners. "Citadel Will Likely Become Widely Distributed Due to Lack of Support and Leaked Builders, Despite the June 2013 Botnet Takedowns," Intel-873629. June 30, 2013). The takedown likely disrupted approximately half of the domains used by one of the most active Citadel operators, although the encryption key hash that the group used at the time went offline shortly after the takedown operation (for more information on the takedown's effect on the "6509 Crew," see isight Partners. "Joint FBI Takedown Hits Most Prolific Citadel Operation," Malware Report #13-26122. June 7, 2013). XX XX X We anticipate that the public leak of the builder, combined with the recent law enforcement action against Citadel, will likely encourage sophisticated actors to avoid using the malware in favor of lesser known malware. At the same time, if the builder sees wider distribution among the underground, or if the source code for Citadel is leaked, we would expect to see a large distribution of the malware similar to what happened following the Zeus source code leak. We have some indication that the builder has already begun proliferating to new communities that previously lacked access to Citadel, as a recent campaign was likely operated by a group of Latin American actors. The extent of AquaBox's current activity is unknown, as is the activity of the rest of the Citadel development team. We have seen actors stating that AquaBox had abandoned Citadel to begin work on another project, but as of yet, we have no further evidence proving this is the case. In July 2014 All rights reserved. isight Partners, Inc. 7
2012, an actor named "Support" with the same forum rank as AquaBox (Licensed Member) posted that development was progressing on a P2P version of Citadel, which would use communication between infected machines rather than central servers. However, no further mention of a P2Pbased Citadel has been observed. Marketplace AquaBox was almost certainly the only actor who publicly sold or advertised access to Citadel on behalf of the developers, although it is unclear whether AquaBox himself participated in the development process. AquaBox's first advertisement of Citadel was on a prominent Russianlanguage cyber crime forum, and since October 2012, we have had no reports of his activities in any underground communities. AquaBox and the other actors who were likely part of Citadel development primarily interacted with their customers via Citadel's customer relations management (CRM) platform. CRM platforms are widely used in software development and are essentially forums in which actors and developers can collaborate and vote on updates and improvements to a given project. The fact that AquaBox and his cohorts co-opted the idea to their own development efforts for Citadel suggests that they had prior experience operating a CRM platform during software development. Based on the rapid pace of Citadel development, we judge that this decision proved critical to the success of Citadel in the underground market. Many of the modules that enhanced Citadel's capability were developed when actors on the CRM collaborated, increasing the functionality of Citadel beyond what the development team alone could have accomplished. User Base At Citadel's peak usage during its development stages, it's highly likely that the number of actors using the malware was around 90 individuals. Much like Zeus's original user base, early in its development, Citadel's user base consisted of a closed group of clients who interacted with the development team through the Citadel CRM forum. In general, these users primarily engaged in cyber crime-related activities using Citadel. Currently, we are almost certain that at least some highly sophisticated actors are using Citadel to conduct campaigns targeting diverse victims throughout the financial industry. For example, in recent months we have observed many Citadel campaigns targeting smaller financial institutions for workers' unions, financial institutions related to the United States Department of Defense and several campaigns targeting business and corporate URLs for major banks in Australia, Europe and North America. We have observed a number of new encryption keys coming online since early 2013, which are being used by less sophisticated actors who have recently obtained access to the publicly leaked Citadel builders discussed earlier. 2014 All rights reserved. isight Partners, Inc. 8
Victimology While actors running Citadel campaigns may have specialized their targeting toward specific industries or geographic regions, the net effect was Citadel being used to target major financial institutions on every continent. The vast majority of Citadel usage targeted multinational banks and financial institutions, many of which have global operations. Citadel operators have also targeted numerous small, industry-focused credit unions. One Citadel operator specifically targeted credit unions serving police, firefighters and government personnel. The Microsoft Digital Crimes Unit estimated five million worldwide infections by Citadel, with total losses attributable to the malware estimated at $500 million USD since the malware was first released in December 2011. Top 20 Institutions Targeted by Citadel Webinjects between January 2012 and July 2013 X Xx X Xx X.com XXX 2014 All rights reserved. isight Partners, Inc. 9
Outlook Between October 2012 and October 2013, Citadel's developers have almost certainly abandoned their customers, and Microsoft and the FBI staged a massive takedown of more than 1,000 Citadel domains. However, even without the advantages of a dedicated support staff and a communal development effort, Citadel is still comparatively more sophisticated than any of the other freely available credential theft Trojans currently available in the underground. Citadel's capabilities are significantly greater than its predecessor Zeus, and although not all of the actors using Citadel botnets were highly sophisticated, at least some of the actors who had access to Citadel used it to steal multiple millions of dollars from financial institutions around the world. At this point in time, the developers have likely abandoned both the project and a majority of their clientele. Actors who are still operating Citadel campaigns are unlikely to enjoy the same levels of support and frequency of updates that originally contributed to Citadel's position as a particularly notable threat to the financial sector. We have evidence to suggest that at least one Citadel campaign was initiated using the publicly leaked builder, and it is highly likely that many actors are currently using Citadel, and since the barrier of restricted access has been removed, more actors will likely begin using it. Ultimately, in the next 12 months we expect that the Citadel botnet creation tools will continue to propagate in the underground and that more actors will use the banking malware than were able to in the past. Because of that, it is highly likely that the threat posed by Citadel will at the very least remain serious. If the source code of Citadel were to be leaked sometime in the next 12 months, or if AquaBox and the other developers resurface with an improved version of Citadel, we would expect that threat to increase significantly. 2014 All rights reserved. isight Partners, Inc. 10
Appendix: Detailed Technical Analysis of Citadel Command and Control (C&C) Communication Protocol Citadel relies upon the HTTP protocol to push configuration files from its command and control (C&C) servers to the drones, allowing botnet operators to communicate with the drones in their botnet. An operator is able to update bots on the fly using configuration changes provided by a URL hard-coded into binaries at creation time. Configuration files sent to bots are encrypted with the AES cipher and a homegrown "visualdecrypt" obfuscation function, using the symmetric AES key derived by the following scheme. This method is a significant improvement over Zeus's use of RC4 with the botnet_key and visualdecrypt to obfuscate configuration files. After a bot successfully establishes a connection, the Citadel control server delivers a configuration file via HTTP. Citadel configuration files are encrypted using a 128-bit AES key and an additional layer of obfuscation based on the operator's "BO_LOGIN_KEY." This differs from the method used in Zeus 2.0.8.9, which relies on a single round of RC4 encryption with an embedded key. Anatomy of Citadel infection and credential theft (isight Partners) 2014 All rights reserved. isight Partners, Inc. 11
Host Infection and Installation The Citadel installer uses the same infection process as Zeus 2.0.8.9, including mechanisms to lock the malware to a single victim based on the Globally Unique ID (GUID) of the machine's Windows volume. Upon execution on a target system in the context of a given user account, the installer creates a randomly named folder in the user's "Application Data" directory, copying itself into the target folder as a randomly named file. This binary is executed immediately, and the original Citadel installer is removed. If the victim has Administrator privileges, the malware infects all local Windows user accounts. On the infected host, the resident binary stores data in itself using an executable overlay "PESETTINGS.rc4Key," compressed with the open-source Universal Compression Library (UCL). This data is encrypted with the RC4 stream cipher and a random 40-byte key created on each malware installation. A unique bot identifier is produced based on the CRC32 digest of the infected machine's timestamp, NetBIOS hostname, Windows version and Windows license key. It also sets a randomly named mutual exclusion (mutex) value to ensure that only one copy of the malware is installed on the system. Citadel persists on system reboot using a registry key commonly used to start Windows programs automatically. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run This key's value contains the full path to the resident binary, launching the resident binary on system boot. The creation tool used to generate new copies of the Citadel malware has been slightly changed from their Zeus counterparts. The interface has been cosmetically improved, with the substantive addition of a customizable "Encryption Key," referenced as LOGIN_KEY in source code. Citadel continues to use an RC4 key set by the operator and embedded in each generated binary, called the "botnet_key." config_key = RC4(md5sum (LOGIN_KEY), botnet_key) Citadel binaries communicate using the HTTP protocol, connecting to remote servers for updates and data exfiltration. This communication is implemented using the "url_server1" and "url_server2" 2014 All rights reserved. isight Partners, Inc. 12
variables in its creation interface. The added feature of multiple control domains allows Citadel operators to have a fallback control server in case the first one is taken down. In order to allow bots to check for updates on a variable schedule, the "timer_autoupdate" variable was added as well. The developers of Citadel added the ability to capture live video of infected machines using the open-source VNC server library, which was previously included as an optional module for Zeus. While the Zeus module was relatively rare and eventually unsupported by its developers, Citadel compiled in mandatory support for VNC. A specific type of "Back-connect" command is used to stream video of compromised users, implemented by opening a VNC server on a bound TCP socket on the victim machine. This functionality is reused for HTTP proxying and tunneling. The format of these commands is as follows: [STATUS_FLAG] [BOT_IDENTIFIER] [COMMAND_TYPE][BACK_CONNECT_TYPE] As in Zeus, the resident Citadel binary injects hooks all running processes on the infected host, redirecting calls to Windows system functions. This is accomplished by adding inline hooks to the start of user-mode functions with a pointer to the hooked function and an intermediary trampoline function. To aid VNC capture, Citadel hooks functions responsible for creating and moving program windows and mouse pointer movements. Modular Architecture Citadel was developed using a modular architecture, meaning that the developers and other actors could create modules, also called "plugins," which expanded the functions of Citadel. The same modular architecture is used for Zeus and most of its variants, meaning that any modules that were developed for those other malware families also function in Citadel. Additional modules could be purchased by operators to fulfill different needs. Observed modules include the following: An "iframer" module allows actors to automatically infect websites using stolen FTP credentials. This module may enable Citadel users to rapidly gain access to web traffic for uses such as additional malware distribution. The backconnect VNC module in Citadel allows users to establish a backdoor to any of the drones in their botnet and bypass the Windows firewall. 2014 All rights reserved. isight Partners, Inc. 13
The "Crypto-panel" module pushes an automatic Jabber update to users when an infection has been detected by anti-virus. A module named "filehunter" was referenced in the Citadel creation panel. It's likely that this module searches through a victim machine's files and grabs files or file types, although we have not confirmed the functionality of this module. Webinject Formatting in Citadel Citadel's webinject functions are more advanced than Zeus 2.0.8.9, and we estimate that the increased potency of Citadel's webinjects, and the malware's compatibility with the webinjects of several other malware families, was one of the primary reasons actors used Citadel over other types of credential theft malware. Citadel 1.3.5.1 allows operators to dynamically update webinjects using non-latin characters. While prior versions only supported Latin characters in domain names, Citadel's webinjects allowed targeting of financial institutions in Eastern Europe, the Middle East and Asia. Citadel uses the Zeus format for webinjects, allowing Citadel to use injects developed for other credential theft malware that also uses this format, including most Zeus variants and Carberp (for more information, see isight Partners. "Zeus and SpyEye Webinjects Format Being Treated As Common Underground Standard; Trend Highly Likely Increasing Malware Threats," Intel-538183. Feb. 21, 2012). The industry standardization of webinjects among underground developers allows actors using credential theft malware to draw from a large pool of community-developed inject files. Information Cut-Off Date: Aug. 27, 2013 This message contains content and links to content which are the property of isight Partners, Inc. and are protected by all applicable laws. This cyber threat intelligence and this message are solely intended for the use of the individual and organization to which it is addressed and is subject to the subscription Terms and Conditions to which your institution is a party. Onward distribution in part or in whole of any isight proprietary materials or intellectual property is restricted per the terms of agreement. By accessing and using this and related content and links, you agree to be bound by the subscription terms of service. 2014 All rights reserved. isight Partners, Inc. 14