The Trojan looks for processes linked to KeePass, Password Safe, and the neXus Personal Security Client.
For cybercriminals, it’s a logical target — get the master password for a single repository, and you’ve got access to all of a victim’s login credentials.
With millions of computers worldwide already infected with the Citadel malware, the researchers say it’s easy for cybercriminals to provide updated instructions to those machines via a command and control (C&C) server.
“As long as the malware is communicating with the C&C, the configuration file can be updated with information about new targets, activities and C&C destinations,” Trusteer director of enterprise security Dana Tamir wrote in a blog post describing the threat.
“All attackers need to do is provide a new configuration file to the millions of existing instances and wait for infected machines to access the targets,” Tamir added.
The new Citadel configuration instructs infected machines to start keylogging when any of the following processes are running: Personal.exe, PWsafe.exe, or KeePass.exe.
According to Tamir, Personal.exe is a process belonging to the neXus Personal Security Client, PWsafe.exe belongs to the open source password manager Password Safe, and KeePass.exe belongs to the open source password manager KeePass.
The IBM Trusteer researchers who found the new Citadel configuration file haven’t yet been able to determine who’s behind it, or if it’s specifically targeting a single institution.
“It might be an opportunistic attack, where the attackers are trying to see which type of information they can expose through this configuration, or a more targeted attack in which the attackers know that the target is using these specific solutions,” Tamir noted.
“Password management and authentication programs are important solutions that help secure access to applications and Web services,” Tamir added. “However, it is important to understand that these solutions can be compromised by malware.”
While the three solutions currently being targeted are only a small subset of the range of password managers currently available, it would be extremely simple for the attackers to update the configuration file to look for processes tied to other leading products.
In the meantime, Trusteer’s discovery should serve as a reminder to keep your anti-virus solutions updated, and to implement two-factor authentication where possible. Password Safe supports YubiKey authentication, and the KeeOtp plug-in for KeePass enables two-factor authentication.