The Citadel Trojan is not exactly a new malware. It existed from some time. It operates in a pretty simple way: when the malware reaches the victim’s machine, it connects to a remote command-and-control server to download a configuration file that states what the software is supposed to look for and then it starts keylogging (registering user’s keystrokes). IBM Trusteer researchers found out a new configuration of Citadel that is supposed to attack explicitly password manager softwares and makes it even more subtle.
Password managers are softwares designed with the purpose of relieving users of the burden of remembering many password for multiple sites while, at the same time, keeping them complex enough to be secure. These managers ask you to create a master password. That’s the password you’ll use to login in the password manager profile and the only password you’ll have to remember. From that moment onwards, you will be able to generate long and complex passwords for your accounts and the password manager will remember them for you, encrypting them for security reasons.
This new configuration of the Citadel Trojan, seems to be designed specifically to steal the master passwords. Citadel itself is pretty hard to detect. This configuration in particular, can remain idle indefinitely until some precise circumstances arise, and then it starts to do its keylogging work. In the version retrieved by IBM Trusteer, the configuration file of the malware instructed it to become active if certain processes would be running in the system:
This version of Citadel, as you can see from the snippet in the picture, would become active if one of those three processes would be found in the system. Those are all processes created by password manager softwares. That suggests that the malware will try to keylog the master password of said softwares.
Unfortunately, there’s no way to know if the attack discovered by IBM was an opportunistic one or if it was made specifically to attack that particular user. In any case, we at TechRaptor advise our users that make use of password managers to keep their software always up to date.