Terdot: Banking Malware-Espionage Instrument Stealing Social Media and E-mail Accounts

Zeus malware is again with a vengeance. A spin-off of the banking trojan, now with revamped espionage capabilities, was lately found by safety researchers.

It’s known as Terdot, a trojan that’s been lively since mid-2016 and extremely custom-made to conduct (MitM) man-in-the-middle assaults to intercept any visitors on an contaminated laptop. The malware was additionally designed to inject HTML code or spy ware into visited pages, steal banking credentials and bank card data. Generally focused web sites embrace the Financial institution of Montreal, Banque Nationale, Desjardins, PCFinancial, Royal Financial institution, Scotiabank, and plenty of different Canadian establishments.

Terdot needs extra. The Zeus-derived banking trojan is out to get social media and e-mail accounts.

Targets embrace standard social networks Fb, Google Plus, Twitter, and YouTube, whereas the banking trojan may even publish on the contaminated person’s behalf. Google’s Gmail, Microsoft’s reside.com, and Yahoo Mail are among the many troubled e-mail service suppliers. This new focus has the potential to make Terdot a particularly highly effective cyber espionage device.

Bitdefender researchers have noticed Terdot in malicious emails bearing a faux PDF icon. When clicked, obfuscated JavaScript code is executed to obtain and run the malware. Terdot can also be delivered totally on web sites compromised with the SunDown Exploit Package. Using a fancy chain of droppers, injections, and downloaders, Terdot evades detection as downloads are performed in installments.

Terdot can then efficiently intercept and modify any information victims ship to their financial institution or social media account in real-time. Not solely that, the banking trojan can unfold itself by means of posting faux hyperlinks on different social media accounts. It’s fascinating how the malware apparently skips on gathering information from VKontakte, Russia’s largest social media platform, which in some way hints the actors behind the brand new variant could also be from Japanese Europe.

See also  Ministry of International Affairs and 20 Embassy Web sites of Lebanon Hacked