Saying that Terdot malware is a banking trojan is kind of like saying your computer is a giant calculator. Yes, that’s essentially what it is, but it’s also a whole lot more.
According to a new, in-depth analysis of Terdot from Bitdefender, the malware not only steals credit card information and login credentials for online financial services, but it also intercepts and modifies traffic on social media and email platforms. And because it has automatic updating capabilities, it can add new capabilities at any time.
“Terdot goes above and beyond the capabilities of a Banker trojan,” states Bitdefender in its report. “Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber espionage tool that is extremely difficult to spot and clean.”
An offshoot of the Zeus banking trojan, Terdot primarily targets users of Canadian financial websites including PCFinancial, Desjardins, BMO, Royal Bank, the Toronto Dominion bank, Banque Nationale, Scotiabank, CIBC, and Tangerine Bank, Bitdefender reports. Targeted non-financial services include Microsoft’s live.com login page, Yahoo Mail, Gmail, Facebook, Twitter, Google Plus, and YouTube.
However, it does not attempt to victimize users of vk.com, Russia’s largest social media platform — an indicator that the perpetrators behind Terdot could be linked to Russia.
Typically, the malware is delivered via the Sundown Exploit Kit, or through malspam communications, while the actual infection chain relies on a series of droppers, injections, and downloaders that helps Terdot avoid detection.
Once activated, Terdot steals credentials by injecting HTML code in visited web pages and by performing man-in-the-middle attacks, directing user queries and website responses to its own local proxy server, possibly altering the communications along the way.
The trojan even has the ability to bypass Transport Layer Security (TLS), Bitdefender explains, by forging its own certificates for every visited domain. “For Internet Explorer, the malware installs hooks to Win32 API certificate checking functions to trick the browser into trusting these forged certificates, and for Mozilla Firefox, Terdot adds the root certificate to the browser’s trusted CA list, using legitimate tools provided by Mozilla.”