Openhunting Threat Library

Citadel

Citadel
(Type: Banking trojan, POS malware, Info stealer, Credential stealer)

(Malwarebytes) Citadel is an offspring of the (too) popular {{Zeus}} crimekit whose main goal is to steal banking credentials by capturing keystrokes and taking screenshots/videos of victims’ computers. Citadel came out circa January 2012 in the online forums and quickly became a popular choice for criminals. A version of Citadel (1.3.4.5) was leaked in late October and although it is not the latest (1.3.5.1), it gives us a good insight into what tools the bad guys are using to make money.

[News Analysis] Trends:

Total Trend: 6

Trend Per Year
1
2012
2
2016
1
2017
1
2020
1
2021


Trend Per Month
1
Nov 2012
2
Feb 2016
1
Dec 2017
1
Aug 2020
1
May 2021



[News Analysis] News Mention Another Threat Name:

17 - Citadel16 - SpyEye16 - Zeus16 - BackSwap16 - Carberp16 - DanaBot16 - Dridex16 - Dyre16 - Emotet16 - Gozi17 - Kronos16 - PandaBanker16 - Ramnit16 - Shylock16 - Tinba16 - TrickBot16 - Vawtrak2 - Meterpreter


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Four Individuals Plead Guilty to RICO Conspiracy Involving “Bulletproof Hosting” for Cybercriminals

2021-05-07 by Office of Public Affairs from Department of Justice

Banking Trojans: A Reference Guide to the Malware Family Tree

2020-08-09 by Remi Cohen from F5 Labs

MoneyTaker 1.5 YEARS OF SILENT OPERATIONS

2017-12-11 by Group-IB from Group-IB

Citadel 0.0.1.1 (Atmos)

2016-02-19 by Xylitol from XyliBox

Banking Trojan “Citadel” Returns

2016-02-16 by JPCert from JPCERT/CC

Citadel: a cyber-criminal’s ultimate weapon?

2012-11-05 by Jérôme Segura from Malwarebytes

Basic Information (Credit @etda.or.th)

Tool: Citadel

Names: Citadel

Description: (Malwarebytes) Citadel is an offspring of the (too) popular {{Zeus}} crimekit whose main goal is to steal banking credentials by capturing keystrokes and taking screenshots/videos of victims’ computers. Citadel came out circa January 2012 in the online forums and quickly became a popular choice for criminals. A version of Citadel (1.3.4.5) was leaked in late October and although it is not the latest (1.3.5.1), it gives us a good insight into what tools the bad guys are using to make money.

Category: Malware

Type: Banking trojan, POS malware, Info stealer, Credential stealer

Information: https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/

Information: https://www.arbornetworks.com/blog/asert/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/

Information: http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html

Information: http://www.xylibox.com/2016/02/citadel-0011-atmos.html

Information: https://www.secureworks.com/research/point-of-sale-malware-threats

Information: https://en.wikipedia.org/wiki/Citadel_(malware)

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:citadel

Last-card-change: 2020-05-25

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact