Password Management Systems being targeted by Citadel Trojan
After infecting many a victims with the vicious Citadel Trojan, the authors/handlers of the Trojan have branched out to a more lucrative victim. The masterkey of the Password Management System. As per a research published by Security Intelligence, the Citadel Trojan is now targeting the master passwords guarding major password management products.
Security Intelligence which is powered by tech major IBM said that they notified major Password Management System providers like makers of the nexus Personal Security Client, Password Safe and KeePass about a new configuration file found on an infected computer targeting processes used by the respective password management tools.
What is Password Management System
Given the fact that most of the users have atleast 10 to 20 accounts across the internet ranging from simple email passwords to passwords for confidential data and banking. A Password Management System is a software application that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password which grants the user access to their entire password database.
The authors/handlers of the Citadel Trojan are after this master password. If this is cracked, the cyber criminals can lay their hands on the victims financial data as well as confidential information.
How does Citadel Trojan work
The Citadel Trojan is not new. It is a massively distributed malware that has already compromised millions of computers worldwide. Once Citadel installs on a machine, it opens communication channels with a command-and-control (C & C) server and registers with it. The malware then receives a configuration file that tells it how it should operate, which targets what to look for, what type of information to capture, which functions to enable and even provides information about alternative C&Cs that allow the attackers to take down an exposed C & C and still operate the malware from a new C & C.
As long as the malware is communicating with the C & C, the configuration file can be updated with information about new targets, activities and C&C destinations. As of now the C & C servers instruct the malware to call out the Personal.exe process in the nexus Personal Security Client. Like wise if the victim is using Password Safe, the Trojan sets about calling out PWsafe.exe from Password Safe and in KeePass, the KeePass.exe file is called out by the new Citadel configuration files. In each case, the malware seeks out and captures the master password that unlocks the password database stored by the password management tool.
“It instructs the malware to start keylogging when some processes are running,” wrote Dana Tamir, director of enterprise security on Security Intelligence.
NeXus Personal Security Client is cryptographic middleware used in enterprise and service provider locations to secure financial transactions, e-commerce and other services from the desktop. Password Safe, meanwhile, is an open source tool built by Bruce Schneier. KeePass is also a free, open source password manager, but it uses a random password generator preventing the user from having to come up with individual passwords. The Trojan, however, sidesteps that protection by stealing the master password.
“An analysis of the configuration file shows that the attackers were using a legitimate Web server as the C&C,” Tamir said. “However, by the time the IBM Trusteer research lab received the configuration file, the C&C files were already removed from the server, so researchers were not able to identify who is behind this configuration.”
Citadel Trojan is one of the most widely distributed malware families, is crossing over more and more from the realm of cybercrime to APT-style targeted attacks. As per Security Intelligence. APT are now the most sought after pieces of malware. The Security Intelligence notes that an average of 1 in 500 machines worldwide is infected with massively distributed APT malware at any point in time.
Massively distributed malware has been discovered by IBM Trusteer’s Service team in practically every customer environment in which they’ve worked. Since millions of machines are already infected with Citadel, it is easy for attackers to take advantage of this malware in new cyber scheme which is to target the Password Management System’s master password key. All attackers need to do is provide a new configuration file to the millions of existing instances and wait for infected machines to access the targets.
The new and changed configuration of Citadel that is being used to compromise password management and authentication solutions. It instructs the malware to start keylogging (capturing user keystrokes) when some processes are running.
The relevant part of the configuration is shown below (in IBM Trusteer’s proprietary format):
Snippet form the Citadel configuration(Image courtesy Security Intelligence)
The following are targeted processes:
Personal.exe: A process that belongs to “neXus Personal Security Client,” an authentication solution that enables users to conduct secure financial transactions, e-commerce and other security-dependent services directly from the desktop. It offers a cryptographic middleware (interlinking piece of software) that enables secure login and the use of common applications. It is used by enterprises as well as online service providers.
PWsafe.exe: A process that belongs to “Password Safe,” a free, open-source password management solution that allows you to create an encrypted user/password list. According to an article from PCWorld, the original version of its password database was designed by security expert Bruce Schneier, and the current version has been tested and code-inspected by thousands of people — not trivial for a security solution. By using a keylogger, the malware captures the “master password,” which enables the cyberattacker to unlock and access the entire list.
KeePass.exe: A process that belongs to “KeePass,” another free, open-source, secure password manager. It lets you keep all of your username/password pairs in a securely encrypted database, protected behind a single master password. One of the positive features included with KeePass is a random password generator, so you don’t have to create random passwords on your own. Again, by using a keylogger, the malware can capture the “master password,” which lets cybercriminals unlock and access the entire user/password database.
It is important to note that Citadel is highly evasive and can bypass most threat detection security systems. It can stay idle on a user’s machine for weeks, months and even years until it is triggered by a user action. This means that many users and organizations do not know that their machines are already infected, and the existing infection can be quickly turned against them.
Meanwhile statements are awaited from all the major Password Management Systems.