Citadel 1.5.x.y trojan banker

Hunt Hypothesis

The Citadel 1.5.x.y trojan banker is likely establishing covert communication with a command-and-control server to exfiltrate sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data breaches early.

YARA Rule

rule citadel13xy
{
    
    meta:
        author = "Jean-Philippe Teissier / @Jipe_"
        description = "Citadel 1.5.x.y trojan banker"
        date = "2013-01-12" 
        version = "1.0" 
        filetype = "memory"
   
    strings:
        $a = "Coded by BRIAN KREBS for personnal use only. I love my job & wife."
        $b = "http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x%02x.php"
        $c = "%BOTID%"
        $d = "%BOTNET%"
        $e = "cit_video.module"
        $f = "bc_remove"
        $g = "bc_add"
        $ggurl = "http://www.google.com/webhp"

    condition:
        3 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that mimics the behavior of the Citadel trojan, such as downloading files or modifying registry keys.
  Filter/Exclusion: Check for ProcessName containing TaskScheduler or schtasks.exe, and filter out processes associated with known maintenance scripts (e.g., Cleanup.exe, DiskDefrag.exe).

• Scenario: Admin Performing Remote Desktop Session
  Description: An administrator uses Remote Desktop Protocol (RDP) to access a server and performs actions that could be misinterpreted as malicious activity, such as executing commands or modifying files.
  Filter/Exclusion: Filter by User field to exclude known admin accounts (e.g., Administrator, svc_account), and check for ProcessParent that matches a legitimate RDP session process (e.g., mstsc.exe).

• Scenario: Software Update or Patch Deployment
  Description: A legitimate software update or patch deployment tool (e.g., Microsoft Update, SCCM, or Ansible) executes scripts that temporarily modify system files or registry entries.
  Filter/Exclusion: Filter by ProcessName containing msiexec.exe, setup.exe, or ansible.exe, and check for CommandLine arguments that include update-related keywords (e.g., /quiet, /norestart).

• Scenario: Database Backup Job Execution
  Description: A database backup job (e.g., using sqlbackup.exe, mysqldump, or pg_dump) runs and generates temporary files or modifies system settings during the backup process.
  Filter/Exclusion: Filter by ProcessName containing sqlbackup.exe, mysqldump.exe, or pg_dump.exe, and check for CommandLine arguments that include backup-related flags (e.g