Security investigators have discovered a new, sophisticated form of malware based on Zeus banking Trojan that steals more than just bank account details.
Dubbed Terdot, the banking Trojan has been around since mid-2016 and was initially designed to operate as a proxy to conduct Man-In-The-Middle (MITM) attacks, steal browsing information such as stored credit card information and login credentials and injecting HTML code into visited web pages.
However, investigators at security firm have discovered that the banking Trojan has now been revamped with new spying capabilities such as leveraging open-source tools for spoofing SSL certificates in order to gain access to social media and email accounts and even post on behalf of the infected user.
Terdot banking trojan does this by using a highly customized Man-In-The-Middle (MITM) proxy that allows the malware to intercept any traffic on an infected computer.
The new variant of Terdot has even added automatic update capabilities that allow the malware to download and execute files as requested by its operator.
Usually, Terdot targets banking websites of numerous Canadian institutions such as Royal Bank, Banque Nationale, PCFinancial, Desjardins, BMO (Bank of Montreal) and Scotiabank among others.
Trojan Can Steal Your Facebook, Twitter and Gmail accounts
However, according to the latest analysis, Terdot can target social media networks including Facebook, Twitter, Google Plus, and YouTube, and email service providers including Google’s Gmail, Microsoft’s live.com, and Yahoo Mail.
The malware avoids gathering data related to Russian largest social media platform VKontakte (vk.com), Bitdefender noted. This suggests Eastern European actors may be behind the new variant.
The banking Trojan is mostly being distributed through websites compromised with the SunDown Exploit Kit, but researchers also observed it arriving in a malicious email with a fake PDF icon button.
Terdot can also bypass restrictions imposed by TLS (Transport Layer Security) by generating its own Certificate Authority (CA) and generating certificates for every domain the victim visits.
Any data that victims send to a bank or social media account could then be intercepted and modified by Terdot in real-time, which could also allow it to spread itself by posting fake links to other social media accounts.
“Terdot is a complex malware, building upon the legacy of Zeus,” Bitdefender concluded. “Its focus on harvesting credentials for other services such as social networks and email services could turn it into an extremely powerful cyber espionage tool that is extremely difficult to spot and clean.”
This security firm has been tracking the new variant of Terdot banking Trojan ever since it resurfaced in October last year. For more details on the new threat, you can head on to a technical paper (PDF) published by the security firm.