New raise of Citadel malware…banking again under attack

Pierluigi Paganini August 22, 2012

The FBI has launched an alert titled “Citadel Malware Continues to Deliver Reveton Ransomware in Attempts to Extort Money “

One of the sectors most targeted by cyber attacks and by malware is the banking, during the last months we have read several times of agents developed to steal credentials of accounts and to realize complex frauds. We all remember malicious applications such as Spyeye and Zeus, the second is considered for example one of the most prolific malware du to the great variety of agent isolated all around the world in the last period and that have affected different platforms.

Financial institutions and banks need to take in serious consideration this cyber threats, that for the first time are creating great problems to the diffusion of the web-based service banking.

Ransomware, malware and phishing are the most insidious menaces for the sector, they have registered an impressive growth in the last year and the trend is really frightening.

Last week, due the increase of the number of infected pcs the FBI, has launched an alert titled “Citadel Malware Continues to Deliver Reveton Ransomware in Attempts to Extort Money

to explain that the IC3 has been made aware of a new Citadel malware platform used to deliver ransomware named Reveton.

“The ransomware lures the victim to a drive-by download website, at which time the ransomware is installed on the user’s computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States federal law. The message further declares the user’s IP address has been identified by the Federal Bureau of Investigation as visiting websites that feature child pornography and other illegal content.”

Of course to unlock the pc, the victim have to pay a fine to the U.S. Department of Justice using a prepaid money card service.


In the specific case,Citadel the victim is cheated several times, before by the ransomware and after by the Citadel malware that once infected the machine continues to commit online banking operations and steal sensible information.

The level of complexity of these cyber threat is surprising as the model of sell implemented, in a past article I explained how much power is the concept of “malware ad service“, criminal organizations are able to customize the agents for the specific clients distributing them through anonymity channels such as the Deep Web.

We are facing an impressive business and criminals know that risks are really limited.

Citadel malware represents a powerful variant of Zeus agent, it is considered an ongoing project due to the model referred and it is evolution is interesting also new social media platforms and operating also on mobile devices.

Experts believe that the new variant that includes a ransomware has been developed to with the specific intent to attack US banking sector where, differently from Europe, users have no experience with this fraud schema.

As said, this time the evolution of Citadel is more dangerous due to the conjunction of more offensive malicious components inside the same agent, an information stealer and a ransomware and the forecast is that in next versions will be integrated more modules to circumvent users defenses. Zeus today represents the maximum expression of the malware evolution due to its diffusion and to the number of variants detected.

Returning to the FBI alert, it suggests :

  • File a complaint at Look for updates about the Reveton virus on the IC3 website.
  • Seek out a local computer expert to assist with removing the malware.
  • Do not pay any money or provide personal information.
  • Be aware that even if you are able to unfreeze your computer on your own, the malware may still operate in the background. Certain types of malware have been known to capture personal information such as user names, passwords, and credit card numbers through embedded keystroke logging programs.

 Watch out, the enemy may have already infected your machine!

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Citadel malware, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment