A Citadel domain appeared yesterday on the Zeus tracker:
A friend (Kafeine) have found this binary, it was loaded via Impact Exploit Kit.
The Citadel domain 'inforick.com' seem hijacked, there is no trace of C&C on this server, just a gate.php who act as redirector on another domain.
when unpacked, config details:
Drop: hxtp://inforick.com/img/gate.php
Infection: hxtp://inforick.com/zip/file.php|file=soft.exe
Update: hxtp://hostname1.tilder77.tk/sham11/file.php
Update: hxtp://sipginues.com/status/file.php|file=config.bin
Hard config: hxtp://inforick.com/img/file.php|file=config.dll
Key: 82 75 FC 56 7F D5 E6 A0 F3 B6 61 18 4B C8 B1 41
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Infection: hxtp://inforick.com/zip/file.php|file=soft.exe
Update: hxtp://hostname1.tilder77.tk/sham11/file.php
Update: hxtp://sipginues.com/status/file.php|file=config.bin
Hard config: hxtp://inforick.com/img/file.php|file=config.dll
Key: 82 75 FC 56 7F D5 E6 A0 F3 B6 61 18 4B C8 B1 41
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
This Citadel is targeting Canadian banks, more specificaly: Canadian Imperial Bank of Commerce, Scotiabank, Bank of Montreal and Toronto-Dominion Bank.
A MiTB panel was found inside the config:
The first one is on empressbridge.com, this server seem hijacked too.
Login:
Intercept:
Add commands:
Commands:
Edit:
Jabber:
Change password:
Second panel, hosted on aussieconnect.net
This one is SSL valid.
Log:
Details:
First time i see this panel i have no idea of who sell it.
About inforick.com, this domain is now nuked.