Citadel

The Citadel trojan is a variation of the king of financial malware, Zeus. It emerged, along with a number of other one-off trojans, after the Zeus trojan’s source code leaked in 2011. Citadel’s initial noteworthiness has a lot to do with its creator’s novel adoption of the open the open-source development model that let anyone review its code and improve upon it (make it worse).

The group or groups of criminals responsible for Citadel developed a community of customers and contributors around the globe that would suggest new features for the malware, contributing code and modules as part of a criminal social network of sorts. Some of the most fascinating capabilities included AES encryption of configuration files and communications with the C&C server, an ability to evade tracking sites, the capacity to block access to security sites on victim machines, and a functionality that could record videos of victim activities.

The network of Citadel contributors continued adding newer and more dynamic features to the trojan, making it more adaptive and faster, until it became utilitarian that criminals began using it for all stripes of credential theft.

Citadel saw big success until Microsoft and a coalition of other companies launched an operation that would eventually disable some 88 percent of its infections