A Citadel variant has been used against several Middle Eastern petrochemical companies, marking the first time the financial malware has been found in targeted attacks against companies.
Trusteer, the IBM security firm that made the discovery, declined to identify the companies whose names were found in configuration files in the malware. Trusteer did not know whether the companies' systems were actually infected with the software.
Nevertheless, the finding opens a new chapter in the sophisticated malware typically distributed through phishing attacks launched from botnets of thousands of infected PCs.
Citadel has proven particularly effective in stealing consumers' online banking credentials. Last year, Microsoft reported disrupting nearly 90 percent of Citadel botnets worldwide in a takedown operation that also involved the FBI and partners in technology and financial services.
Citadel's advanced capabilities in evading anti-virus software and stealing data make it particularly useful in targeted attacks against enterprises, Dana Tamir, director of enterprise security at Trusteer, said Tuesday.
"Citadel is highly sophisticated," Tamir said. "Data exfiltration and evasive techniques were added to it, making it a very powerful tool."
The malware is especially good at stealing login credentials from an infected computer's Web browser. The variant analysed by Trusteer was configured to watch for the login URL of webmail systems.
When a PC user types in his login credentials, the malware grabs the username and password and sends them to its command and control server. From there, the attacker can use the credentials to log into the email account and steal corporate communications.
In addition, the attacker can use Citadel to commandeer an infected computer, providing access to other systems connected to the same network.
Trusteer believes the attackers behind the Citadel variant were going after organisations with infected systems that were already part of a botnet, Tamir said.
The use of botnet-distributed financial malware in targeted attacks is not new. Besides Citadel, Trusteer has found variants of Zeus, SpyEye and Shylock designed to steal corporate data.
"Every customer environment we work with we find variants of either Zeus or Citadel or SpyEye or some other financial malware," Tamir said.
Regions of the world with the highest rates of infection include the United States, the United Kingdom and Saudi Arabia, according to Trusteer. Infection rates in those areas ranged from 0.24 percent to 0.26 percent, based on the number of infected computers per 10,000 machines.