I came across this malware today at work and i think what it does is create a fiddler proxy to intercept the ssl certicates.
I noticed the work citrix ssl certicate had DO_NOT_TRUST in the issuer field. On firther investigation it looks like it was intercepting the ssl certicate and replacing it with a remote fiddler proxy, essentially saving all the login and passwords during ssl sessions. I gathered this from the status messages that was seen during the login process.
Edited by Chris Cosgrove, 07 November 2014 - 06:53 PM.
Moved to General Security