Citadel, the aggressive botnet at the heart of a widely criticised takedown by Microsoft back in June, is back and stealing banking credentials from Japanese users, according to Trend Micro.
The security vendor claimed to have found “at least 9 IP addresses”, mostly located in Europe and the US, functioning as the botnet’s command and control servers.
Some 96 per cent of connections to these C&C servers come from Japan, proving that most of the banking Trojan infections are from that country alone, it said.
Trend Micro added the following in a blog post:
During a six-day period, we detected no less than 20,000 unique IP addresses connecting to these servers, with only a very minimal decrease from beginning to end. This means that there is still a large number of infected systems still stealing online banking credentials and sending them to the cybercriminals responsible.
The banks and financial institutions targeted in this campaign have already released warnings and advisories to their customers and loyalists regarding the attack itself. Users are reminded to read these warnings properly before logging into their online banking accounts.
As well as Japanese financial and banking organisations, the botnet has been targeting popular webmail services such as Gmail, Hotmail and Yahoo Mail, Trend Micro said.