Citadel: The Thoroughbred of Cyber Crime

In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes and taking screenshots/videos of victims’ computers. Citadel came out circa January 2012 in the online forums and quickly became a popular choice for criminals. A version of Citadel ( was leaked in late October and although it is not the latest (, it gives us a good insight into what tools the bad guys are using to make money.

In this post, I will show you how criminals operate a botnet. This is not meant as a tutorial and I do want to stress that running a botnet is illegal and could send you to jail.

A nice home

In order to get into business the bad guys need a server that is hosted at a company that will turn a blind eye on their activities and also guarantee them some anonymity. Such companies are called Bulletproof hosting and can be found in most underground forums.

Those hosting firms are for the most part located in countries like China or Russia and therefore in their own jurisdiction where so long as you don’t commit crimes against your own people not a whole lot can happen to you. To cover their tracks even more, the bad guys use proxy or VPN services that disguise their own IP address.

A shiny new toy

Once set up with a server, it is time to install what will be the mastermind program to create and organize an entire array (botnet) of infected computers worldwide. A variety of crimekits exist but in this post we will concentrate on Citadel.

Once again, the core installation files can be found in the underground community or through your own connections. Recently, the Citadel kit was withdrawn from forums to prevent too much exposure and attention. It costs around $3000 USD.

To install Citadel, you simply browse to the install folder with your browser and set up the main access username and password as well as database information.

In this testing, the installer did not automatically create the database but you can do so by hand. To finally access the login page, you need to browse to the cp.php file:

 Before logging in, I want to show you the other component that makes this package complete. It is called the builder and is essentially used to create the piece of malware that criminals will distribute (forced installs through infected websites) and that links to their crimekit.

Stolen credentials are harvested by various means:

  • Keystroke logging
  • Screenshot capture
  • Video capture

A powerful feature used to trick users into revealing confidential information is dubbed WebInject. It is powerful because it happens in real time and is completely seamless. A WebInject is a piece of code that contains HTML and JavaScript which creates a fake pop-up that asks the victim for personal information within the context of logging into a site. The bad guys can trigger it in two ways: either automatically when a site of interest is opened by the victim, or manually on the fly.

It is the ultimate phishing tool because it does not go against any known proper precautions a user would normally take. For instance, the site’s URL is unchanged and shows the secure pad lock with the financial institution’s SSL certificate. This type of hack is also called a man-in-the-middle attack. Many times this kind of attack doesn’t work as users get suspicious. Ransom-ware works much better in my opinion.

Since a lot of people download music and movies from torrents or other shady sites, the message tricks them into thinking they have been caught by the local authorities. It’s a very smart scare tactic which works quite well, unfortunately. To add to the drama, the malware will attempt to turn on the user’s webcam as if they were already under surveillance.

The FBI has posted an article regarding this scam ( and urges people to not pay any money as it could get you into even more troubles.

Malwarebytes users are protected against the FBI Moneypak malware. If you aren’t one of them and are already infected you can remove this ransomware by following these 3 steps:

  1. Reboot your computer into Safe Mode with Networking. (Instructions from Microsoft here)
  2. Download Malwarebytes Anti-Malware.
  3. Run Malwarebytes Anti-Malware and remove all malware

What’s next for Citadel?

The latest version ( whose code name is Rain Edition is getting pricey at $3931 but it includes a lot of valuable features (advanced support for Chrome and Firefox, improved WebInjects, smarter ‘on-the-fly’ updates to the Trojan, etc…).

The makers of Citadel are trying to keep a low enough profile to avoid gathering too much attention which could result in efforts to go after them (as we have seen with Zeus). Getting your hands on Citadel is more difficult because of a stricter validation process within the Russian underground.

How to protect yourself

When seeing such technically advanced crimekits it puts a lot of things into perspective. The methods used to steal personal information are so advanced and sneaky that even the most cautious user may get fooled. It is best to avoid infection in the first place by using a solution such as Malwarebytes Anti-Malware PRO that constantly protects your computer by blocking malicious sites and files. Using a combination of both safe online practices (if you ever feel uncomfortable disclosing personal information, give your bank a call or ask a friend) and a good anti malware solution will keep you safe(r).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s