April 15, 2014

Crimeware based Targeted Attacks: Citadel case, Part I

Elad Sharf Security Researcher

Targeted attacks are one of the hottest topics in the cyber security community today. Often when the term 'targeted attack' is used, a politically-motivated attack springs to mind, or what we like to call Cyberwarfare - a low volume and state-sponsored targeted attack that in many cases employs generic Remote Access Trojans such as Poison Ivy, ZxShell, XtremeRAT and more.

While Cyberwarfare has indeed been seen as a notable trend, it's evident that some actors that spread Crimeware (a term that represents cyber attacks that are financially motivated) also keep up with the trends and have been seen to utilize targeted attacks for financial profit.

We have been witnessing those trends for years as different financially-motivated actors found the advantages of employing a targeted cyber attack that avoids extended periods of misdetection by staying well below the radar. Since the general volume decreases with targeted attacks, financial data theft is compensated by cherry-picking a selection of targets that represent quality in terms of potential financial returns. Crimeware seen in targeted attacks is evident and seen daily through our ThreatSeeker® Intelligence Cloud where known Crimeware gets utilised by actors in short-lived email-based cyber attack bursts aimed at quality personnel in order to maximize financial data theft. 

In this three-part blog we're going to take a look at financially-motivated targeted email attack examples that involve a well-known Crimeware toolkit called 'Citadel'. We are going to describe in detail the attack method, attack duration, and the targeted personnel profile that allow us to label it as 'targeted'. In the second and upcoming part of the blog we will examine the financial assets targeted by Citadel in this attack by showing how to decrypt Citadel's (Zeus/Zbot) configuration and then look at what the actors were after. Let's begin!

Cyber attack lure artefacts

The financially motivated crimeware actor behind this attack utilises low volume email lure bursts and circulates them for very short periods of time (hours). Each time a new attack cycle commences, some of the artefacts of the email change in order to evade detection.  The artefacts used in lure email messages include:

  1. Source email address utilised is free email account (changes in every campaign).
  2. Masquerading as a company making an order or taking interest in product offerings, prices etc.
  3. A Zeus based crimeware installer binary repackaged (crypted) to evade AV detection.
  4. Crimeware installer is attached to the email in a zip file and masquerades as a PDF document.
  5. Targets organizations with individuals in key positions or individuals that are assumed to have accesses to financial resources.
  6. Lure emails are sent at late night times or early morning so they wait for the targets in their inbox.

An email lure example and the attached file:

[Click image to enlarge]



The artefacts have a dual purpose: to evade detection and to social-engineer the target to execute the malware. Altogether for that particular campaign, our cloud service has seen only 26 emails with that specific attachment (we are aware that certain scatter attacks often utilise different attachments, but in this case no other instances were found that held similar characteristics with a different attachment).

One of the interesting facts we found was that the attack that utilised the same file was actually separated to two campaigns. The first campaign (campaign 'a') was seen to include only 4 lure email messages that originated from a free email account on Yahoo (globaltrade@yahoo.com) on the 24th of March; the campaign was targeting rather generic email addresses like info@domain-name or specialprojects@domain-name .The second campaign (campaign 'b') started a day later and included 22 lure emails from the free email account on Yahoo (vitexinternational@yahoo.com) sent on the night between the 25th-26th of March, and this campaign targeted specific individuals holding specific positions (more on that in the next section about verticals)Both campaigns lasted only a few hours and commenced late at night,UTC time ~22:00 (see detailed images below for campaign details).

The binary attached with both campaigns was a Citadel variant SHA1: 4b422b48be4beaa44557c452f0920aa1ee0b16cb (for the ThreatScope sandbox report click here). The Virustotal detection rate for the binary is not bad when checked 3 days after the attack, but bear in mind that detection is very important at the actual time when the campaign commences, as the actors repackage (crypting) the binary to evade detection. Here is a Virustotal report of a 'fresh' repackaged crimeware seen in a campaign lure that we checked with Virustotal very close to the time the campaign was commencing, and here is a the report same binary checked a day later. 

Campaign 'a': commenced on the night of the 24th of March, lasted ~1 hour:

[Click image to enlarge]


Campaign 'b': commenced on the night between the 25th-26th of March, lasted ~4 hours

[Click image to enlarge]


Campaign 'a' and 'b' summary view: 

[Click image to enlarge]


The lure emails were sent to varying sizes of businesses and also government entities spread across different industries and multiple countries (see campaign details images above). The targeted entities were personnel holding top or key positions that usually hold access to different financial resources, including: managing directors, general managers, supply chain manager, merchandiser and PAs to managing directors.


In this blog post we described how cybercrime actors utilize Crimeware through conducting targeted attacks. The attack we described was short-lived with specific artefacts aimed to evade detection and social-engineer targets to run what is in fact a piece of Crimeware from the Zeus/Zbot family called Citadel.

Please stay tuned as in the next blog post we're going to have a deeper look into the Citadel variant delivered in this specific attack. We're going to show you how to decrypt the configuration file of Citadel in a step-by-step process to understand better what financial resources the actors behind this attack were after.

Editor’s note: All published links found to be broken, obsolete or otherwise inactive are subsequently removed from existing entries.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.