Security researchers have discovered a new variant of data-stealing Citadel Trojan targets password managers used by cybercriminals to sniff users’ master passwords for a number of password management applications and other authentication programs, which will let you think twice before using one.
Citadel Trojan malware program has typically been used to steal online banking credentials and other financial information by masquerading itself as legitimate banking sites when victims open it in their local browser, which is also known as a man-in-the-browser attack.
The malware has previously targeted users’ credentials stored in the password management applications included in popular Web browsers, however, third-party password managers have typically not been targeted by the attackers.
“[The configuration file] instructs the malware to start key-logging (capturing user keystrokes) when some processes are running,” Dana Tamir, director of enterprise security at IBM Trusteer, explains in a blog post.
It’s not clear how widespread the malware infection is, nor who is masterminding it. The crooks involved scrubbed their central command-and-control (C&C) server some time shortly before Trusteer latched onto the contagion.
“Once Citadel installs on a machine, it opens communication channels with a command-and-control (C&C) server and registers with it. The malware then receives a configuration file that tells it how it should operate,” explained Tamir.
“An analysis of the configuration file [used by this variant of Citadel] shows that the attackers were using a legitimate web server as the C&C,. However, by the time the IBM Trusteer research lab received the configuration file, the C&C files were already removed from the server, so researchers were not able to identify who is behind this configuration.”