Banking Trojans target energy sector as APTs

News by Tim Ring

Banking Trojans are increasingly being used to launch advanced APT attacks, says IBM Trusteer, which has revealed a recent attack on several petrochemical companies in the Middle East using Citadel malware.

IBM also cites the recent Dyre-led attack on Salesforce in warning against the threat which, while not new, few people are aware of.

The danger is that around one in 500 computers are already infected by banking malware worldwide – so APT criminals don't have to use spear-phishing to get into organisations, they can simply re-purpose the malware already there by sending a new configuration file.

And IBM figures from its user base show the UK is the most vulnerable country in the world to these attacks, with the level of infection here is as high as one in every 384 machines.

Other highly infected areas include the US, Belgium, Saudi Arabia, Chile and Mexico.

The latest attack was described by IBM Trusteer's director of enterprise security, Dana Tamir, in two 15 September blogs.

She said Citadel – which “has been massively distributed on users' PCs around the world” - was recently used to target one of the largest sellers of petrochemical products in the Middle East, a regional supplier of raw petrochemical materials and others. No company names were mentioned nor even the number of companies, but Saudi Arabia's Aramco and SABIC are among potential targets.

Citadel can steal information and remotely manage infected computers. And in these attacks, it was instructed to look for users accessing webmail and grab their name, password and other data.

This was used by the cyber criminal to log in on behalf of a trusted user, access corporate emails, send malicious emails and more.

Tamir blogged: “This is the first time we've seen Citadel used to target non-financial organisations in a targeted/APT-style attack in order to potentially access corporate data, steal intellectual property or gain access to secured corporate resources, such as mail systems or remote access sites.”

She said so-called banking malware now includes functions such as key logging, video capturing, form grabbing , HTML injection, remote execution of command line instructions, remote control of the infected machine, advanced evasion techniques and anti-research techniques.

“The development of sophisticated new capabilities turns these Trojans into powerful APT tools,” she said. “They are no longer focused solely on stealing personal and financial data from victims: these Trojans are now being used to target various organisations in search of sensitive business data, access to organisational systems and even access to operational systems.

Tamir added: “Banking Trojans offer another advantage: they are massively distributed. This allows cyber criminals to take advantage of millions of machines already infected with the Trojans.

“In order to point these Trojans at new targets — in this case, enterprise organisations — the cyber criminal only needs to provide these Trojans with a new configuration file. This enables cyber criminals to re-purpose existing Trojans on user machines as needed.

“This means that any organisation can become a target of these attacks. It is no longer a question of ‘if' machines will become infected; you must consider the possibility that some of the machines in your organisation may already be infected.”

Speaking to, Tamir confirmed that Trojans such as Citadel “can now provide full remote access over the infected machine and can steal a lot more information than just credentials. We started seeing the first attempts a couple of years ago but now it is rapidly gaining more and more traction. We're seeing a lot more attempts lately than we've seen in the past.”

The malware works with a configuration file sent by the command and control server, she told us. “This operational file can include the target and what kind of information it wants. You can move it from one server to another, one target to another. You can actually provide it with software updates to strengthen the capabilities available. It's a very powerful tool.”

And Tamir warned: “Security professionals need to realise there is a high likelihood that there are infected machines already in their network. And these machines, even if they are not used currently to target their organisation, they might very quickly be updated and used as grappling hooks for an APT attack against the organisation.

“They can't assume that they just need to prevent these in the future. They need to look for these now, identify these infections, remove them, and prevent future infections. “

UK cyber security expert Luke Jennings, principal security consultant with MWR Labs, agreed with Tamir's views and raised the possibility of cyber criminals selling ‘access' to corporations to other threat actors.

Given their criminal origins, it does appear the end purpose of the current attacks is financial rather than political or terrorist – but of course sale of access to the highest bidder is a potential concern.

Jennings told via email: “Banking Trojans tend to have powerful functionality that is generic enough that it can be used for many different malicious purposes, not just specifically financial crime. They are also fairly widely available, which may be more attractive than spending significant time and resource developing bespoke Trojans.

"They can also be used deliberately to prevent accurate attack attribution. If a business detects a compromise of their network and discovers it to be a variant of a common banking Trojan then they may consider it to be a generic attack not aimed at them and so not be as alarmed as they would be if they were to discover a bespoke Trojan that had never been seen before.

"Another consideration would be cyber criminals selling access to company networks to interested threat actors. The malware may have been spread originally for the purpose of financial crime but once the authors realise they have access to valuable targets they may find other uses for it.”

Jennings added: "Unfortunately, anti-virus alone is not enough to combat this threat. We regularly find common banking Trojans and adware on networks we investigate and the anti-virus in place has not picked up those specific variations.

“It is important that enterprises conduct regular compromise assessments of their networks as well as perform proactive security monitoring and stop relying on anti-virus as their only detection control."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews