Citadel Trojan Malware Attacking Canadian Based Financial Institutions – How to Remove Citadel Trojan
Friday 20th April 2018,


Ξ Leave a comment

Citadel Trojan Malware Attacking Canadian Based Financial Institutions – How to Remove Citadel Trojan

posted by Amy  
Filed under Malware, Online Safety Threat Alerts, Trojan

Citadel Trojan Malware Attacking Canadian Based Financial Institutions: Attacks Include Electronic Point-of-Sale Devices Compromising Debit/Credit Cards

The Citadel Trojan malware is widely being used for cyber-espionage and banking fraud.

It appears that there has been a recent ‘focus shift’ in those using the Trojan malware.

How does it work?

Once a victim types / enters all of the requested information onto their account (i.e. secret question created by the User, PIN) the Citadel will retrieve the personal information and the cybercriminal will take that data and use to their advantage.

The Citadel cybercriminals that operate the botnet will try to retrieve as many login/password authentications as they can from various sources. Although this method may produce massive results in the amount of data retrieved, the quality/worthiness could somewhat be lacking.  This method ultimately causes effective data to be hard to retrieve.

SophosLabs (Malware Researchers) has been closely following a particular Citadel strain that is ‘target specific’ and whose goal is to gain increased data quality at the expense of the amount.

Additional research has discovered that downloads from the configuration file exposed that the malware was targeting several Canadian based banks and financial institutions. Among the institutions was a point-of-sale company that processes debit and credit card transactions.

Because the point-of-sale devices store card details and were being compromised, this gave the cybercriminals an advantage in getting an excessive return volume on each of the stolen accounts.

Data is retrieved through keystroke logs, grabbing from the form fields and screen scraps.

While surfing the payment processing site, once the mouse’s left button is clicked, screenshots are captured/scrapped. The data is sent back to the botnet owner after the screen scrap centers from the mouse button. Simultaneously, the form data is also retrieved and forwarded to the owner; this data includes user passwords, names and security questions.

Citadel Configuration:

The ‘Keylogger process’ is a Citadel configuration file. It entails and includes a process list of where the keystrokes are logged. What does this mean if you are a victim?  It means that every time you type your information into your computer such as PINs, user’s names, logins passwords, and / or card information, the malware captures your letter keystrokes and all of that data is forwarded to the botnet creator.

When remote access applications are being used collaboratively, we can note the type of victims the cybercriminals are targeting.

The configurations files include applications such as but not limited to:

  • GotoMyPC
  • VNC
  • SCP
  • PCAnywhere
  • Putty

The process names we recognize include:

  • Merchant
  • Sales
  • Store
  • Sage
  • QuickBooks

In reviewing these key file names, we can determine that the cybercriminals are targeting banks, financial institutions and retail stores.

The configuration file has a specific section that includes additional coding that is interjected within the web page that mostly targets banks that are Canadian based. This forces the User to enter additional detailed personal information that is not typically required (i.e. – mother’s maiden name and other security questions)

Ironically, the botnet owners have indicated that these are merely tests. We are under the assumption that the owners intend to further develop this malware to eventually become more sophisticated making it more difficult for victims to recover.

It has been proven that the Citadel platform configuration file is extremely flexible.

It has also been proven how a simple malware can be altered from common password theft to an extremely treacherous threat and compromise account data through minor intervention of configuration information.

Why should we be concerned?

Owners of crimeware kits are becoming more knowledgeable in further manipulating the kits they bought. This knowledge has empowered the criminals to update the attack so that it is more devastating to organization causing havoc with the organization trying to recover.

How to Remove Citadel Trojan

In an effort to alleviate the problems that come with Citadel Trojan, you should take action now to remove Citadel Trojan. The process of removing Citadel Trojan can be tricky, which is why you may use a malware solution to easily remove it from your system. New antimalware software is one key to removing Citadel Trojan in addition to manual removal, which may be performed by more experienced PC users.

How you can easily remove Citadel Trojan from your computer

Automatically Detect and Remove Citadel Trojan:

Download SpyHunter
Remove Citadel Trojan

Download SpyHunter AntiMalware


Have you tried the download in Safe Mode or the alternate download link? Our alternate download link usually bypasses the blocking agents in the Citadel Trojan virus… here is the link:

Also, for some, you may utilize the alternate download link while in SAFE MODE with NETWORKING to get our antimalware software to install and run…


If your internet browser is being blocked and you are unable to download SpyHunter, please follow these instructions:

1. Hold the WinKey (Windows Key on your keyboard) and press the R key at the same time.

Windows Key

WinKey (Windows Key)

2. Type in (or copy and paste) and press Enter.

3. The SpyHunter download will begin.

4. You must find the downloaded file SpyHunter-Installer.exe and open/run it (double-click) to start the installation of SpyHunter.

Note: Citadel Trojan may block installation of antimalware or antivirus software. You may need to boot your PC into Safe Mode with Networking to install an antimalware program.

Steps to boot into Safe Mode with Networking:

  1. Bookmark or Favorite this Post/Web Page.
  2. Restart your PC
  3. Press the F8 key (before Windows starts to load – during the boot sequence text screens) a few times until it registers.
  4. Select “Safe Mode with Networking” and press Enter.
  5. Allow the system to boot into Safe Mode with Networking and then return to this page to download an antimalware application.

DIY Citadel Trojan removal resources

*If you are an experienced computer user, you may locate and delete the Citadel Trojan files below. The manual removal process for Citadel Trojan is best performed while in Safe Mode.

Citadel Trojan Files

  • %APPDATA%\[random].exe
  • %StartupFolder%\[random].lnk
  • %StartupFolder%\[random].dll
  • %Temp%\[RANDOM].exe
  • %WINDIR%\system32\[random].exe
  • %AllUsersProfile%\Application Data\Citadel Trojan
  • %UserProfile%\Start Menu\Programs\Startup\.dll.lnk
  • %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.lnk


comments powered by Disqus



Our Site is Safe Webutation
Translate »