Application security, Threat Management, Threat Intelligence, Malware

Terdot banking trojan targets social media and email in addition to financial services

Saying that Terdot malware is a banking trojan is kind of like saying your computer is a giant calculator. Yes, that's essentially what it is, but it's also a whole lot more.

According to a new, in-depth analysis of Terdot from Bitdefender, the malware not only steals credit card information and login credentials for online financial services, but it also intercepts and modifies traffic on social media and email platforms. And because it has automatic updating capabilities, it can add new capabilities at any time.

"Terdot goes above and beyond the capabilities of a Banker trojan," states Bitdefender in its report. "Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber espionage tool that is extremely difficult to spot and clean."

An offshoot of the Zeus banking trojan, Terdot primarily targets users of Canadian financial websites including PCFinancial, Desjardins, BMO, Royal Bank, the Toronto Dominion bank, Banque Nationale, Scotiabank, CIBC, and Tangerine Bank, Bitdefender reports. Targeted non-financial services include Microsoft's login page, Yahoo Mail, Gmail, Facebook, Twitter, Google Plus, and YouTube.

However, it does not attempt to victimize users of, Russia's largest social media platform -- an indicator that the perpetrators behind Terdot could be linked to Russia.

Typically, the malware is delivered via the Sundown Exploit Kit, or through malspam communications, while the actual infection chain relies on a series of droppers, injections, and downloaders that helps Terdot avoid detection.

Once activated, Terdot steals credentials by injecting HTML code in visited web pages and by performing man-in-the-middle attacks, directing user queries and website responses to its own local proxy server, possibly altering the communications along the way.

The trojan even has the ability to bypass Transport Layer Security (TLS), Bitdefender explains, by forging its own certificates for every visited domain. "For Internet Explorer, the malware installs hooks to Win32 API certificate checking functions to trick the browser into trusting these forged certificates, and for Mozilla Firefox, Terdot adds the root certificate to the browser's trusted CA list, using legitimate tools provided by Mozilla."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.