Malware specifically targets password managers

Boy, just when you thought you were doing it right!

Ars Technica, Dark Reading, Security Week and others are reporting a new variant of the Citadel malware that has been around for several years.

According to the articles, the new variant monitors processes and when it sees Keepass, Password Safe or neXus start up, it fires up a keystroke logger to grab the master password for the file.  At that point, the fact that file is encrypted is of little value since the malware has the key to the lock.

Apparently, according to IBM researchers who found this, this variant was created by just modifying the config file of the malware.  This means that if you change the name of the process, all that would need to be done to catch that would be to edit the config file and if they wanted to do the same thing with a different password manager, again, all they would need to do is edit the config file, so the fact that you are using a different password manager only protects you today, not tomorrow.

They said they did not know if this was a mass change or a targeted attack, but if it was targeted, I suspect it won’t be for long.

I *think* that if your password manager supports two factor authentication, then that might protect you against this attack.  It depends whether the second factor is static or dynamic.

This is why the security business is a cat and mouse game.  You make a change, the bad guys make a change.  You make a change to your change.  You get the idea.  If you were hoping that you could do something once and be done, I am sorry, but that is not gonna happen.