Citadel used to attack password managers
The growing popularity of password managers has inevitably led to attackers looking at ways to compromise them. IBM security recently announced in a post that the Citadel malware has been adapted to do just that.
Password managers have become popular with many users, as they enable a user to add in passwords for various sites that require authentication. The password manager typically has details such as the login identifier and the password(s) for various online services (including social media and banking sites), all stored in a type of password vault. Accessing the password vault requires the user to type in the master password. This enables the user to view the login identity and the password(s).
The Citadel malware was first identified in 2012; initially its behaviour was confined to stealing login credentials for online banking sites. Citadel uses a command and control server, which enables it to also receive updates. Citadel is difficult to detect; currently, it is estimated to be installed on 1 in 500 PCs worldwide. It is typically spread via phishing emails or by drive by downloads from compromised sites.
The latest version of Citadel targets “Password Safe”, which is an open source password manager originally devised by Bruce Schneier, “KeePass”, also an open source password manager, and “neXus Personal Security Client”, which is an online authentication solution.
Citadel targets these three solutions by listening in on the processes generated. Once a user starts up a manager, Citadel logs the keystrokes and uses this to extract the master password. Once the master password has been extracted, Citadel can steal a wealth of other information such as online login ids, banking credentials, social networking credentials, etc.
At this stage, the exact motive behind the adaptation of Citadel is not clear, though it is suspected that the stolen information is likely to be used for targeted attacks against organisations.