Advances made in the cybercrime world over the past year prove that the trickle-down effect does not only apply to tablet computers and space tourism. Rather, much like real world products, techniques that were once reserved for the cybercrime elite have trickled down to the public domain, bestowing low-skilled botmasters with the same research-thwarting tools that not too long ago were used solely by malware experts.
Citadel started as a Zeus v2 Trojan, deployed and tweaked by a crime gang using it for their own banking fraud operations, however once Citadel was released into the Russian-speaking underground in January 2012, it took on a life of its own being supported by a skillful, relentless development team.
The recent LinkedIn accounts compromise in which 6.5 million password hashes were published in the Russian hacker community grabbed a lot of media attention. In a hellish period of publicly known breaches that hit the front page news, with perimeter security defenses failing left and right in any possible vertical and geography, this incident stirs some deeper emotions than usual. It seems to be a bit more worrying. It’s personal. I bet that every reader here has a LinkedIn account (raise your hand of you don’t). Certainly every journalist reading this has one.
The Eternal Flame is something you’ll probably recognize as the ever burning fire in ancient Greece; but in fact it has deeper roots in the Middle East. The first records of such custom are, interestingly enough, set in ancient Iran and Israel. The security industry’s skies are now alight with Flame, the latest discovery in [...]
While RSA FraudAction Research Labs does not usually focus on pure-play spyware, over the past year, the Lab has repeatedly detected and handled strains of malware called the eDead Trojan. This highly-targeted spyware code was developed for the sole purpose of collecting keyword search combinations entered by infected victims who visit online banking, retail, webmail and web portal websites, primarily in Japan and Korea.
As of April 30th, 2012 the Citadel Trojan was at its fourth upgrade with Version 184.108.40.206 already in the hands of its customers. Citadel’s features, bug fixes and added modules (each priced separately), have long gone beyond what Zeus ever offered as Slavik’s zeal for developing the malware died down when law enforcement got too close for the Trojan creator’s comfort.
Discussion and buzz about the burgeoning Fraud-as-a-Service (FaaS) trend in the cybercrime economy is as constant and as progressive as it gets. New FaaS offerings are only limited to the imagination of the dubious actors who offer them, and as such, are often creative and interesting in the ways by which they can make perpetrating fraud easier and more accessible to a growing number of criminals.
Phishers, botmasters and underground vendors are increasingly adapting business models and tools for their nefarious ventures. Botmasters are creating and selling blacklists to ward off research and shutdown attempts by infosec experts and law enforcement. Underground vendors transact with buyers using in-house or publicly available escrow services, and crimeware coders offer user manuals and responsive, multi-lingual customer support. Offering Trojans as FaaS, Citadel’s coders are likely the first to sell monthly subscription plans to guarantee their customer base periodic builder updates and bug fixes, and supposedly ensure ongoing, seamless development and improvement of their Trojan kit.
One of the features included in the initial report and communicated by Citadel’s developers in late February related to a Trojan feature the developers have apparently implemented: DNS Redirection. Per the feature list, the developer claims that unlike other Trojans, Citadel does not modify the “Hosts” file on the infected PC (all too often used for local Pharming), but rather allows the botmaster to block or redirect any URL they wish to prevent the bot from reaching.
The FraudAction Research Lab has recently analyzed a Zeus 220.127.116.11 variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan. RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, to yet another summer home – Citadel infrastructures.