Citadel V1.3.5.1: Enter the Fort’s Dungeons

By Limor Kessem

What can be said about the Citadel Trojan that we have not yet said? This advanced banking Trojan, exclusively available in the deep web, has been a game changer ever since it appeared in the most clandestine of cybercrime communities.

Fit for crime king(-pins), it was built over the old Zeus’ (v2) source code, exceeding its predecessor by far and breathing new air into Trojan-facilitated cybercrime. Possessing many of Zeus’ best features and mechanisms, Citadel is continuously renovated by its developers, adding new and innovative modules designed for enhanced control over infected bots and clever victim impersonation schemes.

True to its dictionary definition:“a fortress that commands a city and is used in the control of the inhabitants;[1]”, the Trojan flavor is no different, commanding botnets and controlling its zombies. As of the October release of v1.3.5.1 “Rain Edition”, this crimeware is at its 6th release, and costs 41% more than it did on its January ‘12 debut. Citadel’s basic kit’s off-the-shelf price now stands at $3,391 USD/€2,630, (up from $2,399 USD/€1,850). Although some would argue the price is right, with today’s complete absence of up to par varieties in the underground, botmasters have no other choice but to pay up.

The Next Generation Citadel

The blackhat developers behind this Swiss Army knife-like Trojan are definitely stepping up cyberfraud fine-tuning with yet another unique and innovative feature added to their roster.

The recent feature was christened under the name “Dynamic Config,” a technology implemented in Citadel v1.3.5.1 (“Rain Edition”) enabling botmasters smoother, quicker interactions with the victim through browser injection technology. Today’s fraud happens in real time, so speed is of the essence. This nifty function allows Trojan operators to create web injections and use them on the fly, pushing them to selected bots without the hassle of pushing/downloading an entire new configuration file.

How does this happen? It’s actually quite simple. Citadel-infected machines are going to have an instruction to reach out to the C&C every 2 minutes and update themselves with a predefined file where injection “packs” will be ready to go. The whole system will be managed by a clever distribution mechanism dictating which injection(s) go to which bot or group of bots. The format will be fully “Zeus-compatible,” of course.

This will not cancel out the configuration file or the injections it already contains. Botmasters can choose whether to use both simultaneously, or work with one of the sources at a time. If an injection in the usual config already has a more recent version, the newest will be automatically used. This will make for the most efficient emulation of the bank’s website at any given time.

Fraud-as-a-Service at its Best

The new mechanism is designed right into Citadel’s Fraud-as-a-Service model. Botmasters will be able to grant limited access to hired help.  Up to 5 blackhat programmers (per admin) will be afforded a username and password combination to their own section on the administration panel. The injection sellers could create and save their work, get paid by the piece, and work with multiple botmasters – FaaS at its best!

The botmaster can oversee the whole operation and enjoy using the injections as soon as they are ready, applying them to infected machines of his choice or the whole botnet.

New Customers, New Support Model

Although it is the most advanced commercial Trojan seen to date, team Citadel wants to make sure that their malware doesn’t end up where SpyEye is today so they are keeping an eye out for new customers who may not be overly programming-savvy. The Trojan’s interface has been enhanced to accommodate newbies and to alleviate some of the pressure of endless tickets filed with Citadel’s support staff.

That being said, Citadel would also like to withdraw from dealing with complex tech support tasks. One of Citadel’s strongest points in the cybercrime market has apparently become increasingly charging (more customers, more troubleshooting). Citadel tells customers that “Complex customer support requests of a highly technical nature will no longer be accommodated due to the elevated number of such requests.” Users can find help in sharing their issues with peers on the Citadel CRM or discussion forum.

True to their promise to make Citadel more private and stop selling the Trojan ‘publicly,’ Citadel reminds customers that their support team reserves the right to refuse the sale of a new license to any buyer, without having to explain or give a reason—all in a bid to protect themselves against the possible infiltration of their customer base by researchers and law enforcement. Note that Citadel is still only sold in Russian-speaking forums and has not been seen distributed by English speaking vendors thus far.


Limor Kessem is one of the top Cyber Intelligence experts in RSA, The Security Division of EMC. She is the driving force behind the cutting-edge RSA FraudAction Research Lab blog Speaking of Security. Outside of work you can find Limor dancing salsa, reading science fiction or tweeting security items on her Twitter feed @iCyberFighter.

[1] Source:

Leave a Reply

Your email address will not be published. Required fields are marked *

No Comments