Citadel – Yesterday and Today

Citadel started as a Zeus v2 Trojan, deployed and tweaked by a crime gang using it for their own banking fraud operations, however once Citadel was released into the Russian-speaking underground in January 2012, it took on a life of its own being supported by a skillful, relentless development team.

Today, Citadel is the most advanced crimeware tool money can buy and is the only crimeware of its grade being marketed to fraudsters in open underground venues.  Comparable Trojans, like Sinowal, are all privately owned, but Citadel is taking the open market by storm and is continuing to evolve in sophistication.  Since its release, Citadel has seen 4 major upgrades (including v1.3.4.5) that addressed “customer” concerns and fixed a long list of bugs originating in Zeus v2’s faulty mechanisms.

An excellent example of a successful deployment of a Fraud-as-a-Service (FaaS) model, Citadel is the first ever crimeware to have its own dedicated CRM where dubious clientele can congregate, raise issues, get support and request new modules be implemented.  The Citadel CRM is pushed as a compulsory part of using the Trojan, and demands a monthly fee be paid for the membership. Botmasters failing to pay their dues are banned from receiving the next version upgrade.

Sold for $2,500 for a kit with added plugins going for an average of $1,000 each, Citadel developers are making good money with this banking Trojan, and much like others before them, are beginning to feel the ground under their feet getting warmer as law enforcement becomes increasingly interested in their work.

Citadel Going Off the Open Market

With law enforcement hot on their heels, developers of the Citadel Trojan, who recently communicated the release of a new version (v1.3.4.5), dropped the bomb. The team’s spokesman declared that very soon their “software” will no longer be publicly available through the underground venues where the team has traditionally marketed and sold Citadel.  It appears that soon enough only existing customers will continue to enjoy Citadel Trojan upgrades and those wishing to purchase a new kit from the outside will have to get a current customer to vouch for them or be denied the product altogether.

While this could be a marketing stint designed to create urgency and generate more sales, Citadel’s developers could also be seeing the need to slow down sales. By selling less they can keep the Trojan from being all too widely-spread, which will invariably lead to more sampling and research and cause them the need to rework its evasion mechanisms. Additionally, more customers also means more support, more underground buzz, and eventually, like Zeus, SpyEye, and Carberp — more cybercrime arrests linked with using Citadel.

Fear of Indictment

Malware developers working on criminal-popular projects like Citadel rightfully fear law enforcement.  Their actions of developing, supporting and selling advanced crimeware makes them an accessory to the crimes which can easily get them indicted alongside their botmaster customers. The more popular the banking Trojan becomes, the more banks and merchants push to have its developers and bot masters behind bars.

Looking to the surrounding cybercrime arena, history proves that malware coders know when to leave the room. To date, developers of popular Trojans like Zeus’ Slavik, SpyEye’s Gribodemon, and Ice IX’s GSS have never been arrested and we are seeing the Citadel’s team already taking measures to go deeper underground for their own safety.


No Comments