Terdot banking trojan targets social media, email & financial services


Saying that Terdot malware is a banking trojan is kind of like saying your computer is a giant calculator. Yes, that's essentially what it is, but it's also a whole lot more.

Saying that Terdot malware is a banking trojan is kind of like saying your computer is a giant calculator. Yes, that's essentially what it is, but it's also a whole lot more.

According to a new, in-depth analysis of Terdot from Bitdefender, the malware not only steals credit card information and login credentials for online financial services, but it also intercepts and modifies traffic on social media and email platforms. And because it has automatic updating capabilities, it can add new capabilities at any time.

"Terdot goes above and beyond the capabilities of a Banker trojan," states Bitdefender in its report. "Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean."

An offshoot of the Zeus banking trojan, Terdot primarily targets users of Canadian financial websites including PCFinancial, Desjardins, BMO, Royal Bank, the Toronto Dominion bank, Banque Nationale, Scotiabank, CIBC, and Tangerine Bank, Bitdefender reports. Targeted non-financial services include Microsoft's live.com login page, Yahoo Mail, Gmail, Facebook, Twitter, Google Plus, and YouTube.

However, it does not attempt to victimise users of vk.com, Russia's largest social media platform - an indicator that the perpetrators behind Terdot could be linked to Russia.

Typically, the malware is delivered via the Sundown Exploit Kit, or through malspam communications, while the actual infection chain relies on a series of droppers, injections, and downloaders that helps Terdot avoid detection.

Once activated, Terdot steals credentials by injecting HTML code in visited web pages and by performing man-in-the-middle attacks, directing user queries and website responses to its own local proxy server, possibly altering the communications along the way.

The trojan even has the ability to bypass Transport Layer Security (TLS), Bitdefender explains, by forging its own certificates for every visited domain. "For Internet Explorer, the malware installs hooks to Win32 API certificate checking functions to trick the browser into trusting these forged certificates, and for Mozilla Firefox, Terdot adds the root certificate to the browser's trusted CA list, using legitimate tools provided by Mozilla."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop