Citadel Malware targets Bitcoin users, takes screenshots of browsers

Virtual currency Bitcoin become the most hot topic in the Internet after its value recently reached unbelievable level.

We recently aware that cyber criminals breached Bitcoin related websites to steal the Bitcoins.  There are also malware that will install Bitcoin Miner in victim's machine(eg: ZeroAccess).

Trusteer’s Security team have come across a new variant of Citadel malware which targets Bitcoin users capable of capturing screenshots of victim's browser whenever they visit Bitcoin related websites.

It also targets other virtual currency related websites such as Yandex money(,,, Perfect Money(

Facebook virus: Citadel targets Facebook Users with Children’s Charity Scam

Security researchers from Trusteer , have discovered a new variant of the Citadel malware that injects itself into your Facebook webpages and demands that you make a donation to a fake charity for sick children.

After users have logged into their Facebook account, the Citadel injection mechanism displays a pop up that encourages the victim to donate $1 to children who “desperately” need humanitarian aid.Next, it asks you for your name, credit card number, expiration date, CVV, and security password.

What makes this attack particularly sophisticated is the malware configured to deliver the attack based on the user's country/language settings, with web-injection pages in five different languages: English, Italian, Spanish, German and Dutch.

In an interesting twist, the criminals do not reuse the same text for every language. Instead, they have customized each attack based on the victim’s country and/or region.

"This attack illustrates the continuing customization of financial malware and harvesting of credit card data from the global base of Facebook users. Using children’s charities as a scam makes this attack believable and effective," a Trusteer spokesperson wrote.

"Meanwhile, the one dollar donation amount is low enough that virtually anyone can contribute if they choose. This is a well-designed method for stealing credit and debit card data on a massive scale."

Citadel Trojan is going off the Open Market

A spokesperson for the minds behind the Citadel Trojan said recently on an underground forum that the malware would no longer be publicly available, according to RSA.

According to RSA’s FraudAction Research Labs, a spokesperson for the creators of the Citadel Trojan declared on an underground forum after the recent release of the Trojan’s latest version (v1.3.4.5) that the software would no longer be publicly available and only existing customers would be able to receive upgrades.

Others who wish to purchase a new kit would have to get an existing customer to vouch for them. It remains to be seen if the developers will actually pull it off digital shelves, a spokesperson for EMC’s RSA security division told eWEEK July 2.

"While this could be a marketing stunt designed to create urgency and generate more sales, Citadel’s developers could also be seeing the need to slow down sales," RSA blog post reads.

“By selling less, they can keep the Trojan from being all too widely spread, which will invariably lead to more sampling and research and cause them the need to rework its evasion mechanisms. Additionally, more customers also means more support, more underground buzz, and eventually—as with Zeus, SpyEye, and Carberp—more cyber-crime arrests linked with using Citadel.”

Citadel is built on the source code of the notorious Zeus Trojan typically linked to the theft of banking credentials and fraud. In May, the Internet Crime Complaint Center (IC3), a multi-agency task force consisting of the FBI, the National White Collar Crime Center (NW3C) and the Bureau of Justice Assistance, warned that the Citadel platform was being used to deliver ransomware known as Reveton.

Today, Citadel is the most advanced crimeware tool money can buy, RSA said. Sold for $2,500, attackers can also purchase plug-ins for an average of $1,000 each.

"Malware developers working on criminal-popular projects like Citadel rightfully fear law enforcement. Their actions of developing, supporting and selling advanced crimeware makes them an accessory to the crimes which can easily get them indicted alongside their botmaster customers. The more popular the banking Trojan becomes, the more banks and merchants push to have its developers and bot masters behind bars."

"Looking to the surrounding cybercrime arena, history proves that malware coders know when to leave the room. To date, developers of popular Trojans like Zeus’ Slavik, SpyEye’s Gribodemon, and Ice IX’s GSS have never been arrested and we are seeing the Citadel’s team already taking measures to go deeper underground for their own safety."

Citadel banking Trojan developed as open source Malware

a few weeks ago, Security researcher Brain Krebs reported about Citadel Trojan, a new variant of Banking Trojan Zeus. According to the Seculert analysis, Malware authors created a social network that enables the customers of Citadelto suggest a new features and modules to the malware, report bugs and other errors in the system, comment and discuss related issues with fellow customers.

"Seculert's Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011."Seculert posted in their blog."The level of adoption and development of Citadel is rapidly growing, and since then Seculert has identified over 20 different Citadel botnets."

Each version of the malware added new modules and features, some of which were submitted by the Citadel customers themselves.

They have included the following features in their malware: AES Encryption ,Avoiding Trackers Detection,Security vendors websites blacklist ,Trigger-based Video Recording.

Similar to legitimate software companies, the Citadel authors provide their customers with a User Manual, Release Notes and a License Agreement

"By looking at the developments in the software world, the open-source model may be well accepted in the cybercrime ecosystem as well" Seculert believes that the success of this Trojan could drive other malware writers to adopt the open-source model.