Citadel’s Man-in-the-Firefox: An Implementation Walk-Through

While banking malware or “bankers” have a lot of functionality, they are defined by their Man-in-the-Browser (MITB) implementation. This mechanism allows them to not only steal banking usernames and passwords, but to also inject arbitrary content into banking websites in order to social engineer and try and steal additional credentials such as identifying information, pins, and token codes.

The paper below will walk through Citadel’s MITB implementation for the Firefox web browser. Citadel was chosen as the malware of interest because at the time of writing it was one of the main banking trojans being used in the wild. Even after Microsoft’s Operation b54 which took down more than 1,400 Citadel botnets, the malware is alive and well and being used by distinct threat actors to target various countries and their associated financial sectors. The focus will be on Firefox because it is an easier target to walk through, but the concepts can be extrapolated to (and have been implemented for) other browsers–Internet Explorer, Opera, and some versions of Chrome.

Since its arrival sometime in early 2012, there has been a lot of good analysis on Citadel as a whole, but they don’t venture very deeply into the MITB functionality. Likewise, there have been a lot of good write-ups and proof of concept code for MITB techniques, but they have usually stopped short of showing in the wild, malicious implementations. The goal of this paper is to help bridge that gap.

More specifically, this paper shows how Citadel modifies a benign banking website like this:

citadel_mitb1to a malicious version:

citadel_mitb2so that they can harvest banking credentials from innocent victims:

citadel_mitb3Techniques like MITB are making “bankers” incredibly deft at their craft; infecting and affecting a large number of people and companies across the world. The more that these tactics are understood, the better they can be protected against.

For the full white paper (PDF) please click here.