A Zeus spinoff called Terdot, a banker trojan with espionage capabilities, has emerged as a highly customized man-in-the-middle (MITM) proxy, able to steal browsing information such as login credentials and stored credit-card information.
According to an investigation by Bitdefender, the malware can notably inject HTML code into visited web pages to carry out MiTM attacks. Thus, on the espionage front, Terdot can eavesdrop and modify traffic on most social media and email platforms.
Bitdefender researchers said that samples show the trojan targeting users of various web services such as Yahoo Mail and Gmail. Interestingly, the malware is specifically instructed not to gather any data from vk.com, Russia’s largest social media platform.
Terdot could evolve in the future: It has automatic update capabilities that allow it to download and execute any type of file when requested by its operator, so it can be updated with new capabilities at any time.
“Financial institutions should be concerned as this trojan is likely to be instrumental in attacks that result in customers' money loss by compromising transactions, or by stealing accounts and credit-card information,” said Bitdefender researchers, in an analysis. “Financial institutions can prepare by proactively monitoring user accounts for suspicious activity, especially when transactions do not match the customer’s regular usage habits. Additionally, targeted banks should proactively inform their customers about potential attacks and advise them to use security solutions that can intercept the threat.”
Terdot takes its cues from the infamous banking trojan Zeus, whose source code was leaked back in 2011.
Manoj Asnani, VP of product and design at Balbix, said that enterprises may have trouble defending against the malware.
“Terdot uses two attack vectors to exploit users—phishing and man-in-the-middle,” he said via email. “Enterprises that have deployed breach prediction systems that comprehensively cover all attack vectors are able to defend against Terdot more effectively. But, it should be noted that most of today’s detection solutions are single attack vector focused. A multi-vector system is needed in this case—and would have proactively flagged users that are at risk of phishing, in addition to compromised or spoofed certificates.”