Terdot Banking Trojan is back and it now implements espionage capabilities

The Terdot banking Trojan isn’t a novelty in the threat landscape, it has been around since mid-2016, and now it is reappearing on the scenes.

According to Bitdefender experts, vxers have improved the threat across the years, implementing credential harvesting features as well as social media account monitoring functionality.

The Terdot banking Trojan is based on the Zeus code that was leaked back in 2011, the authors have added a number of improvements, such as leveraging open-source tools for spoofing SSL certificates and using a proxy to filter web traffic in search of sensitive information.

“Terdot is a complex malware. Its modular structure, complex injections, and careful use of threads make it resilient, while its spyware and remote execution abilities make it extremely intrusive.” states the report published by BitDefender.

The ability of the Trojan in powering man-in-the-middle attacks could be exploited also to manipulate traffic on most social media and email platforms.

The Terdot banking Trojan implements sophisticated hooking and interception techniques, experts highlighted its evasion capabilities.

The banking Trojan is distributed mainly through compromised websites hosting the SunDown Exploit Kit. The Bitdefender researchers observed crooks spreading it through spam emails with a bogus PDF icon button which, if selected, executes JavaScript code that drop the malware on the victim’s machine.

Once installed on the victim’s machine, the Terdot banking Trojan downloads updates and commands from the C&C server, the URL it the same it sends system information to. The Trojan also used a Domain Generation Algorithm (DGA).

“Terdot goes above and beyond the capabilities of a banker Trojan. Its focus on harvesting credentials for other services such as social networks and email service providers could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” Bitdefender concludes.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Terdot banking Trojan, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]