Citadel hasn't gone

Last week, our friends from TrendMicro shared with the cyber community a new ZeuS variant that has the ability to spread via USB. This variant appears to be a new version of Citadel, versioned as

Among the new features contained within the code, the malware now has the ability to spread via external devices by taking advantage of the “autorun.inf” functionality, this can been seen clearly in the decoded binary strings below:


The debug information illustrates the point further

AUTOCOPY: report=[DEVICE], type=[USB], deviceID=[%s], vendorID=[%s], caption=[%s], size=[%s], HKLM_NoDriveTypeAutoRun=[%u], HKCU_NoDriveTypeAutoRun=[%u]. 
AUTOCOPY: report=[STATUS], active=[%u].

…and the respective command to activate it can be seen below

This new feature, coupled with “network scan” command, shows that the developers behind this sample are looking to go further than simply committing banking fraud. This begs the question why?

Clearly there are a number of different schools of thought one can adopt to try and attempt to explain this change. Let’s begin with the simplest explanation, which could be that by adding these new capabilities the developers have created a more complete Trojan. This idea fails to take into account that there is more sophisticated malware out there in the underground economy better able to complete these tasks. At this early stage it is very difficult to fully comprehend the thinking that is behind this new approach of moving the malware away from being a pure banking Trojan. S21sec will monitor closely the continued evolution of the malware and try and understand better why this new approach has been taken.

What we have seen in addition to these new changes are some we have come to expect to see on a periodic basis such as the adding of a new encryption layer for both communication and the configuration file encryption.

In the last known version (, the configuration file encryption was made using a modified AES and a VistualEncrypt/Decrypt (xor), but now it includes a new layer of encryption, which uses a new XOR encryption with two values, a fixed constant included in the binary and 32 random bytes. This new encryption is used for the the encryption of the communication too.

All this new changes try to add some freshness to a family that was stuck in the last known version after a very active time, showing that they are still (playing) with us.

Santiago Vicente y Mikel Gastesi.
S21sec e-crime

Deja un comentario