Monday 4 November 2013

Citadel targeting Canada


A Citadel domain appeared yesterday on the Zeus tracker:
inforick, i thought this domain was done to annoy Rick of MalwareMustDie but seem not related.

A friend (Kafeine) have found this binary, it was loaded via Impact Exploit Kit.
The Citadel domain 'inforick.com' seem hijacked, there is no trace of C&C on this server, just a gate.php who act as redirector on another domain.

Citadel binary is FUD.

when unpacked, config details:
Drop: hxtp://inforick.com/img/gate.php
Infection: hxtp://inforick.com/zip/file.php|file=soft.exe
Update: hxtp://hostname1.tilder77.tk/sham11/file.php
Update: hxtp://sipginues.com/status/file.php|file=config.bin
Hard config: hxtp://inforick.com/img/file.php|file=config.dll
Key: 82 75 FC 56 7F D5 E6 A0 F3 B6 61 18 4B C8 B1 41
Login key: C1F20D2340B519056A7D89B7DF4B0FFF

This Citadel is targeting Canadian banks, more specificaly: Canadian Imperial Bank of Commerce, Scotiabank, Bank of Montreal and Toronto-Dominion Bank.

A MiTB panel was found inside the config:


The first one is on empressbridge.com, this server seem hijacked too.

Login:

Intercept:

Add commands:

Commands:

Edit:

Jabber:

Change password:


Second panel, hosted on aussieconnect.net
This one is SSL valid.

Log:

Details:

First time i see this panel i have no idea of who sell it.
About inforick.com, this domain is now nuked.

4 comments:

  1. This panel is from "rgklink"

    ReplyDelete
    Replies
    1. zummer or mx00077 panel 100%. i have their web injects, ats and cc grabbers. i sell cc's on many boards and my cc's is high quiality because i use only professional injects to collect them. they are very powerful coders

      Delete
  2. but this citadel panel looks different from the previous citadel you talked about.. seems modified

    ReplyDelete
  3. Been two years, and kronos is so close to being cracked now...

    ReplyDelete