Using password managers is often recommended as good practice in order to prevent overusing the same logins, but a new malware has been uncovered that specifically targets the password managers that hold all the variants.
Neowin reports that the malware – named ‘Citadel’ – is “highly evasive”, and can lay dormant on infected computers for “an indefinite amount of time”, to be awoken by a specific user action, meaning that most people will be blissfully unaware that their computer has been compromised. It has allegedly already infected ‘millions’ of computers.
Ars Technica reports that a configuration file had been modified to get the Citadel trojan to begin keylogging when an infected computer opens either Password Safe or KeePass. The Register claims that the neXus Personal Security Client has also been targeted.
The malware works by “injecting itself into explorer.exe processes and hooking into APIs.” It then downloads a configuration file from a central server.
The discovery was made by IBM Trusteer, and the company’s director of enterprise security, Dana Tamir, told Ars Technica that the extent of the attacks is currently limited, but that a focus on password managers could become a more common method of attack. “Once the malware captures this master key, then they can use that master key to exercise complete control over the machine and any of the user’s online accounts,” Tamir explained.
“I think that password managers and authentication solutions are more critical than ever. But it is important to keep in mind that these solutions are not sufficient in and of themselves—they have to be accessed from a clean machine,” she added.
The configuration file suggests that the attackers were using a ‘legitimate web server’ as the command-and-control server, but the files were removed from the server by the time researchers discovered it, so at this point the identity of who is behind the attacks remains a mystery.