Atmos IT Security Threat

Atmos IT Security Threat

Atmos is a continuation of a previous threat which was called Citadel.  It is the evolution of a credential stealer which now boasts comprehensive functionality used by criminals. Atmos can be used as hacktool or RAT for infiltration. The main concern is the success of previous version, which the FBI stated that they uncovered a botnet of over 11 million computers worldwide.

When you consider that Atmos is more advanced than its previous counterpart combining its best features into one comprehensive criminal toolbox, it is easy to see why it has the IT security community.



ZeuS (also known as Zeus, or Zbot) is a type of malware with the capability to act as a trojan horse was first identified in 2007, and was famed for stealing information from the United States Department of Transportation. Later it was discovered to have compromised a number of big name FTP accounts on websites such as Amazon, NASA and ABC. After ZeuS’s success its source code was released and criminals leaped on this opportunity to create further more advanced malware strains including Citadel. Citadel in 2011 was the next big evolution which was created to steal money and personal details from its victims. It had the ability to execute code allowing it to push ransomware and scareware onto compromised machines. Citadel also targeted public and private organisations primarily in Europe and had a propensity towards French banks. It would collect the credentials of users to gain access to internal programs and information. Citadel’s creator has since been convicted, however it seems the code has lived on to form Atmos, which is one of the latest evolutions. Atmos has been around since the end of 2015, but has only recently picked up momentum. It seems like Atmos is similar to Citadel in its objectives to collect money and private data given its similar behaviour. Atmos has been seen to use Teslacrypt v4, a form of ransomware encryption which some in the IT security community have dubbed as unbreakable.



Atmos like its predecessor uses worldwide resources, with servers in the US, Canada, Vietnam, Russia and Turkey. Variations of it are up for sale and it can be purchased by criminals internationally who are willing to pay for its functionality. There are thought to be 1000+ bots in the network and the number is expected to continue growing. It is thought that Atmos is sold on a per licence basis to distributors and that distributors also have resellers to spread the effort involved in disseminating malware. The biggest worry for IT management is that Atmos could be on their organisations computers already, collecting private data silently and they may not know about it.

Practical Advice

Make sure your IT staff do the following:

  • Block or train users to avoid suspicious file downloading.
  • Educate users not to open attachments and links in suspicious emails.
  • Use a trusted brand of antivirus and keep it up to date.
  • Keep browsers up to date.
  • Keep the operating system up to date.
  • Monitor for suspicious network activity.
  • Monitor the destination of suspicious network activity.

For help and advice on the above or any other IT topic please contact us.

Leave a Reply