Citadel trojan, based on the Zeus virus and first spotted in 2011, is a data-stealing malware. Citadel malware was used to harvest login credentials, and its sophisticated evasion techniques allowed the malware to infect millions of users and stay undetected for months. By 2017, it was reported that the malware had infected about 11 million computers and caused over $500 million in losses.
Citadel virus focuses on stealing credit card and bank account numbers, as well as various login credentials. It can also cause redirects to dangerous websites and install additional malware onto the computer. Furthermore, infected devices would be added to the Citadel botnet. It was offered as malware-as-a-service (MaaS) on various underground cybercrime markets, and was accessible to anyone who wanted it. Citadel even had an online tech-support system for malware distributors to report bugs and suggest new feature.
In many cases Citadel was able to stay undetected on computers for months, even if anti-virus software was installed on the device. It would be installed unnoticed when users visit certain websites, and stay in the background until it was time to act. Citadel installed with a drive-by-download attack using the Blackhole exploit kit. The exploit kit essentially installs web browser exploits on unsecure web servers that allows malware to be installed on victim’s computers.
This combination of its distribution techniques and evasive behaviour made Citadel one of the most dangerous banking trojans at the time.
Is Citadel malware still active?
One of the most sophisticated features of Citadel malware was its ability to target password managers, like Password Safe and KeePass. It would try to steal the master password which would allow it access to all passwords saved in the password manager. Microsoft and FBI managed to disrupt the Citadel botnet, and using its very own tech-support system tracked down and arrested one of the developers of the malware. Mark Vartanyan, a computer science professional from Russia, was sentenced to 5 years in federal prison for his involvement in developing the Control Panel for Citadel. Another Russian national Dimitry Belorossov was arrested in 2015 for his involvement in distributing Citadel onto computers.
Citadel trojan distribution stopped in 2016, but new malware based on Citadel appeared. One malware stemming from Citadel was a banking trojan that also infected computers with TeslaCrypt ransomware, a serious file-encrypting malware.