Citadel Malware: Stealing Master Passwords to Popular Password Managers

Following all the recent data breaches, many of us have been changing our passwords on a regular basis. Not just is it smart, it’s rather necessary. Changing our passwords to a high-security, random sequence is not very difficult. The difficult part, of course, is remembering them. Especially when not reusing the same passwords. For those of us lacking the ability to remember long strings of random combinations of letters, numbers, and symbols, password managers offer a great relief. No longer do we have to struggle to remember each time we want to check our emails. It’s a smart choice, overall. Unless…Someone steals your master password.

This week, IBM’s Trusteer security researchers have discovered a version of the Citadel Malware that specifically records keystrokes when one of three popular password managers is running. This is done by using this code:

Personal.exe belongs to nexus Personal Security Client that allows to carry out secure financial transactions and other security-dependent tasks directly from the desktop.

PWsafe.exe belongs to Password Safe, an open source project that stores your password database locally, encrypted. It’s code has been inspected by security experts and thousands of people alike.

KeePass.exe belongs to KeePass, a free and open source password manager solution.

Unfortunately, in all three examples, the Citadel malware can easily extract the master passwords, simply by using a well-timed keylogger. It is not clear what purpose the passwords are collected (targeted or opportunistic) and where the data are being sent.