The Terdot Trojan is a new strain of Zeus, a highly effective banking Trojan that was first spotted in 2009. While Zeus has been discontinued, its source code has been accessible since 2011, allowing hackers to create a range of new banking Trojans based on its sophisticated code.
The Terdot Trojan is not new, having first been seen in the middle of last year, although a new variant of the credential-stealing malware has been established and is being actively used in widespread attacks, mostly in Canada, the United States, Australia, Germany, and the United Kingdom.
The new variant has many new features. Not only will the Terdot Trojan steal banking details, it will also spy on social media activity, and includes the functionality to change tweets, Facebook posts, and posts on other social media platforms to spread to the victim’s contacts. The Terdot Trojan can also amend emails, targeting Yahoo Mail and Gmail domains, and the Trojan can also inject code into websites to help itself distribute on a wide scale.
Additionally, once downloaded to a device, Terdot can install other files. As new capabilities are created, the modular Trojan can be automatically updated.
The most recent variant of this nasty malware was discovered by security experts at Bitdefender. Bitdefender researchers note that in addition to changing social media posts, the Trojan can write posts on most social media platforms, and suspect that the stolen social media credentials are likely sold on to other malicious actors, resulting in more misery for victims.
Apart from social media infections, the Trojan is distributed through phishing emails. One such spam email campaign includes buttons that look like PDF files, although a click will launch JavaScript which begins the infection process. However, Bitdefender experts note that the primary infection vector seems to be the Sundown exploit kit – exploiting flaws in web browsers.
Sadly, spotting the Terdot Trojan is difficult. The malware is installed using a complex chain of droppers, code injections and downloaders, to lessen the risk of detection. The malware is also installed in chunks and assembled on the infected device. Once installed, it can remain undetected and is not currently recognized by many AV solutions.
“Terdot goes above and beyond the capabilities of a Banker Trojan. Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” said a Bitdefender spokesperson.
Safeguarding against threats like banking Trojans requires powerful anti-malware tools to detect and prevent downloads, although companies should think about extra protections to block the main attack vectors: Exploit kits and spam email.
Spam filtering software should be implemented to block phishing emails including JavaScript and Visual Basic downloaders. A web filter is also important to prevent access to webpages known to host malware and exploit kits. Even with powerful anti-virus, web filters, and spam filters, workers should be trained to be more security conscious. Ongoing training and cybersecurity updates can help to cut out risky behavior that can result in expensive costly malware infections.