What is Terdot? Malicious banking malware can monitor and modify your Facebook and Twitter accounts
Like most malware attacks, Terdot also begins with a phishing email.
Security researchers have discovered a sophisticated new malware based on the malicious Zeus banking trojan that has been revamped with new espionage capabilities designed to target social media accounts. The Terdot trojan has been active since mid 2016 and is capable of stealing browsing information, injecting an HTML code in visited web pages and operating an MITM proxy.
However, researchers found that the highly-customised Trojan can also eavesdrop on and even modify traffic on most social media and email platforms. The malware also has automatic update capabilities that allow it to download and execute any files as requested by its operator. This essentially means the malware can develop new capabilities on the go as well.
Some of the banking websites regularly targeted by Terdot include numerous Canadian institutions such as Royal Bank, Banque Nationale, PCFinancial, Desjardines, BMO and Scotiabank among others.
In addition to its banking targets, it can also target information from popular email service providers including Microsoft's live.com login page, Yahoo Mail and Gmail. Facebook, Twitter, Google Plus and YouTube are also targeted.
"Interestingly, the malware is specifically instructed not to gather any data from vk.com, Russia's largest social media platform," Bitdefender noted.
Like most malware attacks, Terdot also begins with a phishing email that appears to contain a PDF file. However, clicking on that file executes the Javascript code to download and run the malware on the disk.
To evade detection by security software, the malware uses a complex chain of droppers, injections and downloaders that help download the malware in pieces. Terdot has also been delivered in malware campaigns using the Sundown Exploit Kit as well, researchers noted.
The versatile malware, once installed, injects itself into the browser processes in a classic man-in-the-middle attack to read traffic and deliver code. It can also steal authentication data by inspecting the user's requests or by injecting spyware Javascript code in the responses.
"The malware has the capability to intercept all browser traffic, including HTTPS traffic, by forging SSL certificates," Bitdefender said. "It saves specific information (including credentials and banking information), it injects custom HTML and Javascript into the victims' webpages, and it sends saved data to C&C servers."
Terdot could exploit social media accounts to steal and gather account login information to sell or use the accounts to spread itself by posting fake links to other social media accounts.
Researchers said Terdot's cybercapabilities go "above and beyond" that of a regular banking Trojan.
"Terdot is a complex malware, building upon the legacy of Zeus," researchers said. "Its modular structure, complex injections and careful use of threads make it resilient, while its spyware and remote execution abilities make it extremely intrusive.
"Its focus on harvesting credentials for other services such as social networks and email services could turn it into an extremely powerful cyberespionage tool that is extremely difficult to spot and clean."