A Citadel domain appeared yesterday on the Zeus tracker:
A friend (Kafeine) have found this binary, it was loaded via Impact Exploit Kit.
The Citadel domain 'inforick.com' seem hijacked, there is no trace of C&C on this server, just a gate.php who act as redirector on another domain.
when unpacked, config details:
This Citadel is targeting Canadian banks, more specificaly: Canadian Imperial Bank of Commerce, Scotiabank, Bank of Montreal and Toronto-Dominion Bank.
A MiTB panel was found inside the config:
The first one is on empressbridge.com, this server seem hijacked too.
Second panel, hosted on aussieconnect.net
This one is SSL valid.
First time i see this panel i have no idea of who sell it.
About inforick.com, this domain is now nuked.