A new Citadel trojan variant includes different remote management tools to maintain persistence on victims PC

Pierluigi Paganini August 03, 2014

Experts at IBM discovered a new variant of Citadel banking malware which includes different remote management tools to maintain persistence on victims’ PC.

Researchers at IBM discovered a new variant of the Citadel banking malware which includes a new interesting feature that allows attackers to maintain persistence in the victim’s machine through remote management tools.

Citadel is directly derived from the popular Zeus banking Trojan, in June 2013 Microsoft and the FBI carried out takedowns that eradicated more than 1,400 botnets (nearly 88% of overall Citadel botnet) associated with this malware.

The new variant of Citadel detected by the experts is integrated with VNC and other remote management tools exploited by the attackers to remotely control victim machines, even after the malware has been detected and removed.


The choice of a remote management tool is not casual because applications like VNC allows attackers to avoid detection of defense systems that usually don’t block them.

Most advanced types of malware have this ability today, including SpyEye’s use of Remote Desktop Protocol (RDP) and Zeus’ and Citadel’s use of Virtual Network Connection (VNC). The security team at Trusteer, an IBM company, has just discovered a Citadel variant that takes this approach a step further, providing enhanced survivability for the attack as well as expanding this malware’s capabilities to perpetrate targeted attacks on enterprises.” report Etay Maor in a blog post.

Once the attackers are maintaining persistence to the victim computers, they can practically do everything they need, including downloading of further malicious payloads or reinfect the PC in case the malware is spotted and removed by security defense.

Citadel variant has come bundled with VNC (Virtual Network Connection) and also with Windows shell commands giving the attackers a peek at the targeted network which host the infected machine.

This version of Citadel exploits Windows shell commands to add a new local user including it into the local administrator and Remote Desktop Protocol groups with a password that never expires.

“The attacker has set up a backup back door into the infected device,” “Attackers benefit in the following ways when utilizing such a trick, especially when they are preparing for a persistent, long-term attack against an enterprise.” added  Maor.

The experts also detailed the commands that this variant of Citadel executes:

  1. net user coresystem Lol117755C /add – Add a new Windows local user (username: “coresystem,” password: “Lol117755C”)
  2. net localgroup Administrators coresystem /add – Add the new user to the local administrator group
  3. net localgroup ‘Remote Desktop Users’ coresystem /add – Add the new user to the local RDP group
  4. net accounts /maxpwage:unlimited – Set the password to never expire

The usage of Windows RDP allows attackers to fly under the radar, differently from ways to control remotely victims and it works even if the malware is removed from the PC.

“While malware modules and communications may be more vulnerable to interception and analysis by security software, using the Windows-native RDP capabilities may fly under the radar as some companies actually use this exact same protocol for technical support,” Maor said.

Resuming, this variant of Citadel represents an ideal choice to compromise enterprises in a persistent and long-term attacks. The experts listed the advantages of the choice:

  • Persistency: Even if Citadel (and its VNC module) are lost, the attacker can still use RDP to access the device.+
  • The illusion of safety: A user who detect and remove Citadel will have the illusion to be safe.
  • Flying under the radar: Windows-native RDP capabilities may fly under the radar, especially for enterprises which use this protocol for maintenance.

[adrotate banner=”9″]

Pierluigi Paganini

Security Affairs – (malware, Citadel)

[adrotate banner=”13″]

you might also like

leave a comment