Citadel Trojan Variant Evades Virtual Machine Analysis

Thursday, June 28, 2012



S21sec researchers Mikel Gastesi and Jozsef Gegeny have noted an adaptation in the Citadel malware that acts to evade analysis of the malicious code by way of a virtual environment.

The Citadel Trojan is a Zeus offshoot that can be used to commit online banking and credit card fraud by harvesting login credentials from compromised systems.

"While analyzing the latest version of Citadel ( we were able to observe two changes that try to make malware analysts' life harder. These changes also had been announced on a particular underground forum before they appeared in the wild," the researcher stated.

The new function is an anti-emulator feature that works to prevent reverse engineering efforts necessary to understand how the malware operates, slowing down mitigation efforts.

"[The] added anti-emulator, which allows you to protect your botnet from reversing and getting into trackers. When it starts, a built-in detective checks if it is running in a virtual machine or in sandboxed environment (CWSandbox, VMware, Virtualbox), and if it is the case, it starts to behave differently and your botnet go unnoticed," the researchers explained.

The variant scans the infected machine for processes running that contain keywords in the "CompanyName" field like "vmware", "sandbox", "virtualbox", "geswall", "bufferzone", and "safespace".

"When a virtualized environment detected, unlike many other Trojans that stop to work, Citadel will continue to operate, but behaves in a different manner. It will generate a unique-machine dependent domain name (obviously fake) and tries to connect to this server (unsuccessfully), making it to believe that the bot is dead and its command and control server is offline, meanwhile the real C&C domain is kept hidden," Gastesi and Gegeny explain.

If the virtual processes are halted, the Citadel malware will perform as expected.

"If we run a Citadel sample of this kind in a VMWare environment, closing all processes related to VMware (vmwareuser.exe, vmwaretray.exe, ...) will be enough to force Citadel to act normally as if it were running in a physical machine," the researchers note.

Gastesi and Gegeny also found another alteration in this variant of Citadel: The inclusion of an internal hash in the malware's algorithm.

"While computing the stream cipher, in addition to the normal XOR operations of RC4, in each iteration the value is XORed with hash string's characters in a consecutive way. The change in the RC4 algorithm affects also how the Trojan communicates with its control panel, due to the same algorithm is used to encrypt network traffic. Therefore the new control panel won't be able to handle connections coming from older versions of the bot."

These discoveries confirm that Citadel, much like it's counterpart Zeus, remains a quite popular strain of malware, and cyber criminals continue to modified the Trojan to maintain its effectiveness.

IC3 recently noted that Citadel was being employed in a drive-by download attack that infected targeted machines with ransomware.

When a victims machine is infected, the system locks up and a screen appears that falsely notifies the user that they have violated United States Law, and demands a $100 fine be immediately paid to the US Department of Justice in order to resume normal functioning.

IC3 recommends that users not follow payment instructions, contact their banking institution, and report the issue at


Possibly Related Articles:
Viruses & Malware
malware Botnets Attacks Headlines sandboxing Ransomware trojan virtual Advanced Evasion Techniques
Post Rating I Like this!
J. Oquendo There are plenty of fixes for this. It is nothing "new" or "unique" (malware detecting virtualization). If you're using VMWare, in your guest machine you could simply modify the registry to remove the indicators and applications. Or you could use VirtualBox, or have a dedicated machine.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.