The latest version of Citadel watches an infected PC to see if users activate one of several types of password managers. If so, the malware begins keystroke logging to capture and relay the master password - for the password management software - to the attackers. Stealing this master password "enables the cyber-attacker to unlock and access the entire list" of usernames and passwords being stored inside the password manager, says Dana Tamir, director of enterprise security for IBM's Trusteer, in a blog post.
Rony Shapiro, the developer behind Password Safe, one of the password management applications targeted by the latest version of Citadel, tells Information Security Media Group that users of the application can defend against Citadel attacks in two ways. "It appears that changing the name of the executable would suffice. That is, renaming pwsafe.exe to nothing_here.exe would be enough to avoid Citadel from capturing the master passphrase," thus allowing attackers to decrypt the passwords stored by the application, Shapiro says.