Citadel was a banking trojan first seen in 2011 as an off-shoot of the Zeus banking trojan. It was a highly successful malware that stole money and personal data from millions of victims. Citadel was highly evasive, capable of bypassing most threat detection systems and remaining idle on a victim machine for months. Citadel had keylogging capabilities and would compromise password management and authentication solutions. The creator of Citadel, Dimitry Belorossov, was sentenced to four years and six months in US prison in September 2015 for conspiring to commit computer fraud. Belorossov used the Citadel trojan to infect 11 million computers around the world, creating a botnet that compromised banking credentials, credit card information, and other personally identifiable information. The FBI and Microsoft Digital Crimes Unit collaborated to disrupt the botnet. Following the dismantling of Citadel, a new variant—Atmos—has emerged, infecting victims through web injections. This new strain was recently targeting banks in France and delivering the ransomware variant TeslaCrypt.
- January 2014: Citadel was reportedly used in the initial compromise that led to the Target breach of 2013. A third-party HVAC contractor was infected with Citadel via a spear-phishing email. (Security Intelligence: "What Retailers Need to Learn from the Target Breach to Protect against Similar Attacks")
- November 2014: IBM Security Intelligence reported "Cybercriminals Use Citadel to Compromise Password Management and Authentication Solutions."
- September 2015: FBI Press Release: "Russian Developer of the Notorious Citadel Malware Sentenced to Prison."
- April 2016: Heimdel Security reported on the resurfacing of Citadel as the new Atmos trojan, available here.
- March 2017: Russian hacker “Kolypto,” who worked on the Citadel trojan, has been extradited to the United States. (BleepingComputer)