The Terdot banking trojan has been active since 2016, and now it is adding a new feature – espionage capabilities.
The Bitdefender security researchers reported that the Terdot creators have improved the trojan over the time, implementing credential harvesting features and social media account monitoring functionality.
The Terdot trojan is based on the Zeus code which was leaked in 2011. During the past years, the criminals have added a number of improvements, such as leveraging open-source tools for spoofing SSL certificates and using a proxy to filter web traffic in search of sensitive information.
“Terdot is a complex malware. Its modular structure, complex injections, and careful use of threads make it resilient, while its spyware and remote execution abilities make it extremely intrusive.” the BitDefender report reads.
Now the ability of the Trojan in powering man-in-the-middle attacks could be exploited to manipulate traffic on most email platforms and social media.
Analysing the evasion capabilities of the Terdot trojan, the security experts noted that the threat features hooking and interception techniques.
Usually, the Terdot trojan is distributed via compromised websites hosting the SunDown Exploit Kit.
The Bitdefender experts noticed that hackers spread the banking through spam emails with a bogus PDF icon button which, if selected, executes JavaScript code which drops the malware on the user’s computer.
Being installed on the victim’s PC, the Terdot trojan downloads updates and commands from the C&C server, and the URL is the same it sends system information to.
The Terdot trojan also used a Domain Generation Algorithm (DGA).
“Terdot goes above and beyond the capabilities of a banker Trojan. Its focus on harvesting credentials for other services such as social networks and email service providers could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” the Bitdefender researchers state.
