The IT security researchers at Bitdefender have discovered a banking malware that apparently has been developed after keeping the dangerous Zeus trojan in mind. Dubbed Terdot by researchers the trojan was first identified in June 2016. It is capable of injecting visited web pages with HTML code to conduct man-in-the-middle (MitM) attacks and steal banking data including credit card information.
According to Bitdefender, the trojan also hunts for login credentials belonging to social media websites including Google Plus, Facebook, and Twitter. It also targets Yahoo users to steal their passwords, but interestingly Terdot’s algorithm does not allow it to gather any data from vk.com, Russia’s largest social media platform.
What worrisome is that Terdot has capabilities to automatically modify and update itself which further allow it to download and execute any type of file when requested by its operator. This means the trojan can update itself with new capabilities that might trick anti-virus programs by evading detection.
“Terdot is a complex malware, building upon the legacy of Zeus,” Bitdefender said. “Its focus on harvesting credentials for other services such as social networks and email services could turn it into an extremely powerful cyber espionage tool that is extremely difficult to spot and clean.”
Furthermore, Bitdefender noted that the trojan is being delivered via email attachment with fake and malicious PDF files.
Remember, a couple of weeks ago; Cisco Talos researchers found attackers manipulating Google Search results to distribute Zeus Panda banking trojan. Its target was the Middle East and India based financial institutions. Tredot, however, targets institutions in Australia, the United Kingdom, and the United States.
Although its origin is still unknown the fact that Tredot is not allowed to steal VK’s data, it is quite possible that the culprit might be Russian.
Manoj Asnani, VP of product and design at Balbix said that enterprises might face difficulties tackling Terdot.
“Terdot uses two attack vectors to exploit users—phishing and man-in-the-middle,”Asnani told HackRead via email. “Enterprises that have deployed breach prediction systems that comprehensively cover all attack vectors are able to defend against Terdot more effectively. But, it should be noted that most of the today’s detection solutions are single attack vector focused. A multi-vector system is needed in this case—and would have proactively flagged users that are at risk of phishing, in addition to compromised or spoofed certificates.”
Further technical details for Terdot trojan are available here [PDF].