Citadel "involution"

Thanks to our Analysis Platform, which analyzes and classifies thousands of samples every day, we are able to track malware families that may affect our clients. Among them it is, of course, Citadel,  one of the most popular trojans of which we have talked a lot before.

Through the control, and analysis of updates we can monitor the activity of each botnet, we can see if they are growing or shrinking, which entities are targeted, when it becomes inactive and so on.

Even thouhg many months have passed since latest version ( was released, and despite it was taken for granted that it was going to be replaced by other banking trojan families, the fact is that, nowadays, despite the take down operation carried on by Microsoft in order to eliminate the threat, there are some Citadel botnets which remain active.

Certainly, since the begining of the year, we are seeing a noticeable drop regarding to the number of samples entering the analyzers each day.

The following graphics show the evolution during the past 10 months of the three most popular versions of the trojan:

Of course, this data would be incomplete without the information regarding the number of samples analyzed within that period.

As you can see in the following graphic, the number of samples that enter the Analysis Platform has grown considerably lately:

Right now, almost 90% of the active botnets are using the version of the trojan which is, in fact, the most extended one. To our mind, the main reasons behind this are:
  • The version was the last one that, as far as we know, was sold “freely”
  • The leak of Citadel’s builder has allowed a lot of cybercriminals to create a botnet for free even if they will, of course, lack any official updates.
Advanced Cyber Security Services

Deja un comentario