Apple's Homewood dal
Security researchers have discovered a new, sophisticated form of malware based on the notorious Zeus banking Trojan that steals more than just bank account details.
Dubbed Terdot, the banking Trojan has been around since mid-2016 and was initially designed to operate as a proxy to conduct man-in-the-middle (MitM) attacks, steal browsing information such as stored credit card information and login credentials and injecting HTML code into visited web pages.
However, researchers at security firm Bitdefender have discovered that the banking Trojan has now been revamped with new espionage capabilities such as leveraging open-source tools for spoofing SSL certificates in order to gain access to social media and email accounts and even post on behalf of the infected user.
Terdot banking trojan does this by using a highly customized man-in-the-middle (MITM) proxy that allows the malware to intercept any traffic on an infected computer.
Besides this, the new variant of Terdot has even added automatic update capabilities that allow the malware to download and execute files as requested by its operator.
Usually, Terdot targeted banking websites of numerous Canadian institutions such as Royal Bank, Banque Nationale, PCFinancial, Desjardins, BMO (Bank of Montreal) and Scotiabank among others.
This Trojan Can Steal Your Facebook, Twitter and Gmail accounts
However, according to the latest analysis, Terdot can target social media networks including Facebook, Twitter, Google Plus, and YouTube, and email service providers including Google's Gmail, Microsoft's live.com, and Yahoo Mail.
Interestingly, the malware avoids gathering data related to Russian largest social media platform VKontakte (vk.com), Bitdefender noted. This suggests Eastern European actors may be behind the new variant.
The banking Trojan is mostly being distributed through websites compromised with the SunDown Exploit Kit, but researchers also observed it arriving in a malicious email with a fake PDF icon button.
If clicked, it executes obfuscated JavaScript code that downloads and runs the malware file. In order to evade detection, the Trojan uses a complex chain of droppers, injections, and downloaders that allow the download of Terdot in pieces.
Once infected, the Trojan injects itself into the browser process to direct connections to its own Web proxy, read traffic and inject spyware. It can also steal authentication info by inspecting the victim's requests or injecting spyware Javascript code in the responses.
Terdot can also bypass restrictions imposed by TLS (Transport Layer Security) by generating its own Certificate Authority (CA) and generating certificates for every domain the victim visits.
Any data that victims send to a bank or social media account could then be intercepted and modified by Terdot in real-time, which could also allow it to spread itself by posting fake links to other social media accounts.
"Terdot is a complex malware, building upon the legacy of Zeus," Bitdefender concluded. "Its focus on harvesting credentials for other services such as social networks and email services could turn it into an extremely powerful cyber espionage tool that is extremely difficult to spot and clean."
Bitdefender has been tracking the new variant of Terdot banking Trojan ever since it resurfaced in October last year. For more details on the new threat, you can head on to a
technical paper (PDF) published by the security firm.