May 2, 2012 - Trusteer Intelligence researchers have discovered a clever new use of the Citadel malware platform (a descendent of the Zeus Trojan) to deliver code ransomware that poses as the US Department of Justice and highjacks victims' computers. This ransomware, named Reveton, freezes the compromised machine's operating system and demands a $100 payment to unlock it. Reveton was observed a few weeks ago being used as a standalone attack, but has now been coupled with the Citadel platform. This is another example of financial malware expanding beyond online banking fraud and being used as a launch pad for other types of cyber-attacks. Citadel is able to target employees to steal enterprise credentials, and in this example targets victims directly to steal money from them, instead of their financial institution.
The attack begins with the victim being lured to a drive-by download website. Tere a dropper installs the Citadel malware on the target machine, which retrieves the ransomware DLL from its command and control server.
Once installed on the victim's computer, the ransomware locks-up the targeted machine and displays a warning message notifying the user that they have violated United States Federal Law. The web inject screen (below) claims the IP address belonging to the infected machine was identified by the Computer Crime & Intellectual Property Section as having visited websites that contain child pornography and other illegal content.
In order to unlock their computer, the victim is instructed to pay a $100 fine to the US Department of Justice using prepaid money card services. The payment service options presented to the victim are based on the geographic location of their IP address. For example, users with US IP addresses must pay using MoneyPak or Paysafecard.
Independent of the Reveton ransomware secondary payload, Citadel continues to operate on the compromised machine on its own. Therefore it can be used by fraudsters to commit online banking and credit card fraud by enabling the platform's man-in-the-browser, key-logging and other malicious techniques.
"It is clear from this and similar attacks Trusteer has discovered recently that financial malware has achieved a technological level of sophistication which enables it to be used to carry out virtually any type of cyber-attack," said Trusteer CTO Amit Klein. "Through a combination of social engineering, data capturing and communication tampering these attacks are being used by criminals to target applications, systems and networks belonging to financial institutions, enterprises, and government agencies in order to commit fraud or steal sensitive information. We have to recognize that cyber-crime and cyber-security protection begins with the endpoint now more than ever."