Posts Tagged: Aquabox


25
Jul 17

How a Citadel Trojan Developer Got Busted

A U.S. District Court judge in Atlanta last week handed a five year prison sentence to Mark Vartanyan, a Russian hacker who helped develop and sell the once infamous and widespread Citadel banking trojan. This fact has been reported by countless media outlets, but far less well known is the fascinating backstory about how Vartanyan got caught.

For several years, Citadel ruled the malware scene for criminals engaged in stealing online banking passwords and emptying bank accounts. U.S. prosecutors say Citadel infected more than 11 million computers worldwide, causing financial losses of at least a half billion dollars.

Like most complex banking trojans, Citadel was marketed and sold in secluded, underground cybercrime markets. Often the most time-consuming and costly aspect of malware sales and development is helping customers with any tech support problems they may have in using the crimeware.

In light of that, one innovation that Citadel brought to the table was to crowdsource some of this support work, easing the burden on the malware’s developers and freeing them up to spend more time improving their creations and adding new features.

Citadel users discuss the merits of including a module to remove other parasites from host PCs.

Citadel users discuss the merits of including a module to remove other parasites from host PCs.

Citadel boasted an online tech support system for customers designed to let them file bug reports, suggest and vote on new features in upcoming malware versions, and track trouble tickets that could be worked on by the malware developers and fellow Citadel users alike. Citadel customers also could use the system to chat and compare notes with fellow users of the malware.

It was this very interactive nature of Citadel’s support infrastructure that FBI agents would ultimately use to locate and identify Vartanyan, who went by the nickname “Kolypto.” The nickname of the core seller of Citadel was “Aquabox,” and the FBI was keen to identify Aquabox and any programmers he’d hired to help develop Citadel.

In June 2012, FBI agents bought several licenses of Citadel from Aquabox, and soon the agents were suggesting tweaks to the malware that they could use to their advantage. Posing as an active user of the malware, FBI agents informed the Citadel developers that they’d discovered a security vulnerability in the Web-based interface that Citadel customers used to keep track of and collect passwords from infected systems (see screenshot below).

A screenshot of the Citadel botnet panel.

A screenshot of the Web-based Citadel botnet control panel.

Continue reading →


7
Sep 15

Arrests Tied to Citadel, Dridex Malware

Authorities in Europe have arrested alleged key players behind the development and deployment of sophisticated banking malware, including Citadel and Dridex. The arrests involved a Russian national and a Moldovan man, both of whom were traveling or residing outside of their native countries and are now facing extradition to the United States.

cuffedLast week, a 30-year-old from Moldova who was wanted by U.S. authorities was arrested in Paphos — a coastal vacation spot in Cyprus where the accused was reportedly staying with his wife. A story in the Cyprus Mail has few other details about the arrest, other than to say authorities believe the man was responsible for more than $3.5 million in bank fraud using a PC.

Sources close to the investigation say the man is a key figure in an organized crime gang responsible for developing and using a powerful banking Trojan known as “Dridex” (a.k.a. Cridex, Bugat). The Dridex gang is thought to have spun off from the “Business Club,” an Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide.

In June 2014, the U.S. Justice Department joined multiple international law enforcement agencies and security firms in taking down the Business Club’s key asset: The Gameover ZeuS botnet, an ultra-sophisticated, global crime machine that infected upwards of a half-million PCs and was used in countless cyberheists. Dridex would first emerge in July 2014, a month after the Gameover Zeus botnet was dismantled.

Separately, the press in Norway writes about a 27-year-old Russian man identified only as “Mark” who was reportedly arrested in the Norwegian town of Fredrikstad at the request of the FBI. The story notes that American authorities believe Mark is the software developer behind Citadel, a malware-as-a-service product that played a key role in countless cyberheists against American and European small businesses.

For example, Citadel was thought to have been the very same malware used to steal usernames and passwords from a Pennsylvania heating and air conditioning vendor; those same stolen credentials were reportedly leveraged in the breach that resulted in the theft of nearly 40 million credit cards from Target Corp. in November and December of 2013.

The Norwegian newspaper VG writes that Mark has been held under house arrest for the past 11 months, while the FBI tries to work out his extradition to the United States. His detention is being fought by Russia, which is naturally opposed to the treatment he may receive in the United States and says the evidence against Mark is scant.

According to VG, the U.S. Justice Department believes Mark is none other than “Aquabox,” the nickname chosen by the proprietor of the Citadel malware, which was created based off of the source code for the ZeuS Trojan malware. Citadel was sold and marketed as a service that let buyers and users interact with the developer and one another, to solicit feedback on how to fix bugs in the malware program, and to request new features in the malware going forward.

For a full translation of the original Citadel sales pitch as penned by Aquabox in 2011, see this link (PDF). For a full translated version of the VG story on Mark, see this PDF (thanks to KrebsOnSecurity reader Jeevan Sivagnanasuntharam for helping with the translation). VG notes that Mark continues to maintain his innocence. [Side note: The Citadel malware has for years had in its code a dig directed at the author of this blog: Included in the guts of the Trojan is the text string, “Coded by BRIAN KREBS for personal use only. I love my job & wife.” Needless to say, the second part of that statement is true, but Citadel was not coded by this Brian Krebs.]

A text string inside of the Citadel trojan. Source: AhnLab

A text string inside of the Citadel trojan. Source: AhnLab

Ars Technica carries an interesting piece about Deniss Calovskis, a Latvian man who was arrested in February and extradited to the United States for his role in creating the Gozi virus, another powerful malware family that has been used in countless cyberheists. The 30-year-old Calovskis long maintained his innocence, but ultimately acknowledged his role in a guilty plea entered in a federal court in Manhattan last week. Continue reading →