TR Member Perks!

The Citadel Trojan is not exactly a new malware. It existed from some time. It operates in a pretty simple way: when the malware reaches the victim’s machine, it connects to a remote command-and-control server to download a configuration file that states what the software is supposed to look for and then it starts keylogging (registering user’s keystrokes). IBM Trusteer researchers found out a new configuration of Citadel that is supposed to attack explicitly password manager softwares and makes it even more subtle. 

Password managers are softwares designed with the purpose of relieving users of the burden of remembering many password for multiple sites while, at the same time, keeping them complex enough to be secure. These managers ask you to create a master password. That’s the password you’ll use to login in the password manager profile and the only password you’ll have to remember. From that moment onwards, you will be able to generate long and complex passwords for your accounts and the password manager will remember them for you, encrypting them for security reasons.

This new configuration of the Citadel Trojan, seems to be designed specifically to steal the master passwords. Citadel itself is pretty hard to detect. This configuration in particular, can remain idle indefinitely until some precise circumstances arise, and then it starts to do its keylogging work. In the version retrieved by IBM Trusteer, the configuration file of the malware instructed it to become active if certain processes would be running in the system:


This version of Citadel, as you can see from the snippet in the picture, would become active if one of those three processes would be found in the system. Those are all processes created by password manager softwares. That suggests that the malware will try to keylog the master password of said softwares.

Unfortunately, there’s no way to know if the attack discovered by IBM was an opportunistic one or if it was made specifically to attack that particular user. In any case, we at TechRaptor advise our users that make use of password managers to keep their software always up to date.

Luigi Savinelli

Staff Writer

Gamer since I can remember and now writer for your enjoyment. Can't say more. Those games will not play themselves

  • Stuart Burns

    Awww, shit. I used KeePass. I barely use it much, though. I’ve somehow memorized my ridiculously complex password.

  • wcg

    How about LastPass? It’s mostly online and doesn’t have a resident process (or does it?) I use 1Password on the Mac which doesn’t seem to be part of this attack.

  • Luigi Savinelli

    Right now the only reported finding of new configuration is the one listed in the article. That doesn’t mean that different infections on different machines may have different configuration files. Theoretically LastPass is not safe but, again, theoretically nothing is safe ever. So no reason to fret. Antivirus software update often enough to give a relatively safe environment