Evolved versions of the notorious Citadel banking Trojan have resurfaced targeting Japanese computer users, according to Trend Micro researchers, which warned the threat could move to Europe at any time.
The researchers announced findings linking the malwares to command and control servers in Europe in a public blog post, warning current evidence suggests the attacks are part of a wider campaign.
"We've identified at least nine IP addresses serving as its command and control (C&C) servers, most of them detected to be belonging in the US and Europe," according to the report.
"Monitoring these servers, we also discovered that 96 percent of the connections to these servers are coming from Japan - further proof that the most of the banking Trojan infections are coming from that one specific country."
The Trend researchers reported detecting 20,000 unique IP addresses connecting to the malware servers in the six days its was actively tracked.
"During a six-day period, we detected no less than 20,000 unique IP addresses connecting to these servers, with only a very minimal decrease from beginning to end. This means that there are still a large number of infected systems stealing online banking credentials and sending them to the cyber criminals responsible," read the report.
The news is the latest incidence of the Citadel Trojan reappearing following take down attempts by law enforcement. In the past Microsoft and the US FBI have mounted numerous takedown attempts against criminals using the Citadel Trojan. The campaign has had some success, with the pair taking down a $500m Citadel botnet in June 2012.
Despite the success of the takedowns, the Citadel Trojan has constantly resurfaced. Trend Micro security director Rik Ferguson said the open nature of the malware and its public availability on numerous cyber black markets means it is likely more versions of the Citadel Trojan will continue to appear.
"Citadel is a successful offshoot of the ZeuS source code and now a highly effective piece of malware, both as financial malware in its own right and as a software distribution platform for other malicious activity, such as ransomware," he wrote.
"Obviously arrests lie the actions of the Spanish police against the Reveton gang and botnet takedowns such as Microsoft recent action against 1,400 Citadel domains can make a dent in criminal operations, but anyone with access to a builder is able to start again, rebuilding botnets and infecting new victims."
Ferguson added the new versions will not be limited to targeting Japan, clarifying European businesses are equally at risk from the Trojan. "Citadel is of course not specific to Japanese victims, and we expect to see further Citadel activity in European territories too," he said.
Prior to Trend Micro numerous other security firms have listed Citadel as one of the biggest threats facing businesses. Most recently McAfee listed tweaked versions of the Citadel and Koobface Trojans as two of the biggest cyber threats facing companies in its Q1 2013 Threat Report.