This banking malware wants to scoop up your email and social media accounts, too

Spin-off from Zeus malware adds features which make it look more like an espionage tool rather than malware for just stealing bank details.
Written by Danny Palmer, Senior Writer

What was only a banking trojan now has the ability to monitor social media posts too.

Image: iStock

A sophisticated form of malware based on the notorious Zeus trojan and originally designed to steal banking credentials has returned with new espionage capabilities which allow it to monitor and modify Facebook and Twitter posts, as well as the ability to eavesdrop on emails.

Active since mid-2016, the Terdot trojan has been highly customised to incorporate man-in-the-middle attacks, inject code into websites and steal browsing information including login credentials and credit card details.

Like other derivatives of Zeus malware, Terdot targets Windows systems.

While the malware is still a banking trojan at heart - particularly targeting the US, Canada, the UK, Germany and Australia - researchers at Bitdefender have discovered that Terdot comes with capabilities which go beyond its primary purpose and can be exploited to snoop on almost the entire online lives of victims.

The malware can also target information from popular email service providers and also includes the ability to exploit a victim's social media accounts, to stealing data and spreading itself.

"Social media accounts can be also used as a propagation mechanism once the malware is instructed to post links to downloadable copies of the malware. Additionally, the malware can also steal account login information and cookies, so its operators can hijack the social network account and re-sell access to it, for instance," Bogdan Botezatu, Senior e-Threat Analyst at Bitdefender told ZDNet.

While a number of social media networks are targeted, researchers note that the malware is specifically instructed not to gather any data from VK, Russia's largest social media platform, leading researchers to suggest that those behind Terdot may be operating out of Eastern Europe.

See also: Cyberwar: A guide to the frightening future of online conflict

Like similar malware campaigns, Terdot attacks begin with phishing emails. These messages are rigged with a button designed to look like a PDF file, which when clicked will actually execute Javascript code to download the malware file.

To prevent the malicious payload from being uncovered by security software, the malware uses a chain of droppers, injections and downloaders in order to download the malware to the disk in chunks. Researchers note that Terdot has also been delivered using the Sundown exploit kit.

One installed, Terdot injects itself into the browser processes in order to read traffic and deliver code - it's also capable of injecting intrusive spyware in order to exfiltrate data and upload it to command and control servers.

This ability to spy on victims and not only steal their banking information but also monitor social networks and emails makes Terdot dangerous, essentially providing it with the ability to become a powerful espionage tool that due to its modular nature, is difficult to spot and remove.

While the malware isn't as wide-spread as some of the most notorious form of banking trojans, the fact that Terdot is so capable at stealing credentials - and hiding its activity -could point to a dangerous new evolution in cyber crime.

"The malware's distribution is far from an epidemic, but what caught our attention is the sophistication of the payload and the malware's capability to run undetected on already infected computers," said Botezatu.

For now, Terdot remains a banking trojan at its heart, with the most commonly targeted websites being those of Canadian instutions including such as PCFinancial, Desjardins, BMO, Royal Bank, the Toronto Dominion bank, Banque Nationale, Scotiabank, CIBC and Tangerine Bank.


Editorial standards