Citadel malware attacking open source password managers

The malware variant also has its eye on online commerce, transaction authentication software
Written by John Fontana, Contributor on

The king of the castle has a new tormentor.

IBM’s Trusteer researchers have discovered a new configuration of the Citadel malware that attacks certain password managers. The configuration activates key logging when certain processes are running on the infected machine. The malware is designed to steal the "master password" that protects access to the database of the end-user's passwords.

Shadow hand on keyboard credit-cnet-v1-610x344
Credit: CNET

The targeted processes include Password Safe (PWsafe.exe), which was designed by security expert Bruce Schneier, and KeePass (KeePass.exe). Both are open-source password managers. The variant also targets the nexus Personal Security Client used to secure financial transactions and other services that require heightened security.

Password managers have become popular in the wake of breaches that have exposed millions of end-user credentials. Users collect all their passwords in a “vault” that is protected by a master password. In addition to added security, users can devise long and complex passwords that are hard to guess and that they don't have to remember since the password manager fills in the password field on the user’s log-on screen.

KeePass and Password Safe both support two-factor authenticatin to help combat such attacks, including plug-ins, hardware tokens, and supprot for Google two-step verification and AWS multi-factor authentication.

IBM discovered the variant on a machine that was protected by IBM Trusteer, a suite of security software. IBM bought Trusteer, an Israel company, in Sept. 2013 for $1 billion.

The researchers say they are unsure how the variant got on the machine. In addition, the researchers said they did not know if it was an attack with a specific target or a random expedition by attackers to find what types of data they could collect.

“Password management and authentication programs are important solutions that help secure access to applications and Web Services,” Dana Tamir, director of enterprise security at Trusteer, wrote on IBM’s Security Intelligence blog. “If an adversary is able to steal the master password and gains access to the user/password database of a password management solution or compromise authentication technology, the attacker can gain unfettered access to sensitive systems and information.”

The Citadel Trojan is a well-known malware that has already compromised millions of computers. Once the malware infects a machine, it receives a configuration file that explains what it should do and how. The researchers said Citadel is “highly evasive and can bypass threat detection systems.”

In September, a variant of the malware was used to attack several Middle Eastern petrochemical companies. Trusteer also discovered that attack. A variant of Citadel was also linked to the massive Target breach last year, having been discovered in the systems of a partner linked to the retailer.

Last year, Microsoft along with the FBI and technology and financial services companies launched a “takedown” operation against Citadel botnets. The group claimed it disrupted more than 90% of the botnets they said were responsible for over half a billion dollars in fraud.

Forum discussions on the impact of Citadel have begun on the KeePass project at SourceForge.

KeePass and Password Safe support two-factor authenticatin to thwart such attacks, including plug-ins, hardware tokens, and supprot for Google two-sttep verification and AWA multi-factor authentication.

Disclaimer: My employer develops a two-factor authentication device

Editorial standards