Citadel Makes a Comeback, Targets Japan Users
Through investigation and collaboration between our researchers and engineers, we discovered a malicious online banking Trojan campaign targeting users in Japan, with the campaign itself ongoing since early June of this year. We’ve reported about such incidents in the past, including in our Q1 security roundup – and we believe this latest discovery shows that those previous attacks have been expanded and are a part of this particular campaign.
We discovered the online banking Trojan involved in this campaign to be a variant of the Citadel family. Citadel variants are well-known for stealing the online banking credentials of users, directly leading to theft.
We’ve identified at least 9 IP addresses serving as its command and control(C&C) servers, most of them detected to be belonging in the US and Europe. Monitoring these servers, we also discovered that 96% of the connections to these servers are coming from Japan – further proof that the most of the banking trojan infections are coming from that one specific country.
In addition to this, we also managed to find out the following about this campaign:
- Only financial and banking organizations native to Japan are targeted in this attack
- Popular webmail services (Gmail, Yahoo! Japan mail, Hotmail) were also targeted
We are currently enhancing the monitoring of the C&C servers related to this campaign. During a six-day period, we detected no less than 20,000 unique IP addresses connecting to these servers, with only a very minimal decrease from beginning to end. This means that there is still a large number of infected systems still stealing online banking credentials and sending them to the cybercriminals responsible.
The banks and financial institutions targeted in this campaign have already released warnings and advisories to their customers and loyalists regarding the attack itself. Users are reminded to read these warnings properly before logging into their online banking accounts.
Trend Micro customers are protected from all related malware and malicious elements in this attack.