The Terdot Trojan is a form of Zeus, a highly successful banking Trojan that first was seen in 2009. While Zeus is no longer doing the rounds, its source code has been available since 2011, allowing cyber criminals to produce new banking Trojans using its sophisticated code.
The Terdot Trojan is not brand new, having first being seen in the middle of 2016, although a new variant of the credential-stealing malware has been produced and is being actively used in attacks, mostly in Canada, the United States, Australia, Germany, and the United Kingdom.
The new variant incorporates many new features. Not only will the Terdot Trojan steal banking details, it will also spy on social media activity and includes the functionality to change tweets, Facebook posts, and posts on other social media platforms to contact the victim’s contacts. The Terdot Trojan can also alter emails, targeting Yahoo Mail and Gmail domains, and the Trojan can also inject code into websites.
Additionally, once downloaded on a device, Terdot can download other files. As new strains are produced, the modular Trojan can be automatically updated.
The latest guise of this dangerous malware was discovered by security researchers at Bitdefender. Bitdefender researchers have revealed that, in addition to modifying social media posts, the Trojan can create posts on most social media platform and expect that the stolen social media details are likely sold on to other malicious actors, spelling further misery for vtjose impacted.
Apart from social media infections, the Trojan is shared using phishing emails. One such spam email campaign incorporate buttons that appear to be PDF files, although a click will initiate JavaScript which starts the infection process. However, Bitdefender researchers have stated that the primary infection vector appears to be the Sundown exploit kit – exploiting flaws in web browsers.
Sadly, spotting the Terdot Trojan is difficult. The malware is installed using a complex chain of droppers, code injections and downloaders, to minimize the risk of detection. The malware is also installed in chunks and assembled on the infected device. Once downloaded, it can remain undetected and is not currently picked up by many AV solutions.
Bitdefender. said: “Terdot goes above and beyond the capabilities of a Banker Trojan. Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean.”
Safeguarding against threats like banking Trojans requires powerful anti-malware tools to detect and obstruct downloads, although businesses should consider extra measure to block the main attack vectors: Exploit kits and spam email.
Spam filtering software should be implemented in order to block phishing emails containing JavaScript and Visual Basic downloaders. A web filter is also strongly recommended to block access to web pages known to host malware and exploit kits. Even with powerful anti-virus, web filters, and spam filters, staff members should be trained to be more security aware. Constant training and cybersecurity updates can help cut out risky behavior that can lead to malware infections on servers.
