The Trojan predominately attacks users of Canadian financial websites and it is likely that the perpetrators behind Terdot have links to Russia.
Many have said that calling Terdot malware a banking Trojan is the same as calling your computer a calculator. While it, in fact, is a banking Trojan, Terdot is also a whole lot more.
The results of a new and in-depth analysis of Terdot show that it is not only able to steal credit card information and login in credentials for online banking and financial institutions but it also has the ability to intercept and modify traffic on social media sites. In addition, the malware has the ability to do the same on email platforms.
The findings were released by Bitdefender, who also stated that because it has the ability to automatically update, it garners new capabilities at any time. In the report, Bitdefender stated that Terdot went above and beyond the known capabilities of a banking Trojan.
The organization has said that because the malware focuses on harvesting information for other services including social media networks and e-mails, it could quite possibly turn into a super-powerful cyber-espionage tool. They also said that it would be extremely difficult to spot and clean on user systems.
As an offshoot of the Zeus banking Trojan, the new malware primarily targets users of Canadian financial websites. These include PCFinancial, Royal Bank, Desjardins, the Toronto Dominion Bank, BMO, Banque Nationale, CIBC, Scotiabank, and Tangerine Bank, Bitdefender has reported.
Microsoft’s live.com login page, Gmail, Yahoo Mail, Twitter, Facebook, YouTube and Google Plus are among the list of non-financial institutions which have been targeted. The organization believes that those behind Terdot may likely be linked to Russia, this follows the discovery that the malware does not attempt to victimise users of Russia’s largest social media platform, vk.com.
Characteristically, the malware is delivered through a Sundown Exploit Kit. It is also alternatively delivered though malspam communications. To avoid detection, the actual infection chain relies on a series of droppers, injections, and downloaders. But, once activated, the malware steals credentials by injecting HTML code in previously visited web pages.
Then Terdot will perform simple man-in-the-middle attacks. In doing so it directs user queries as well as website responses to its own local proxy server, perhaps altering the communications all along the way. Bitdefender explained that the Trojan even has the ability to bypass Transport Layer Security (TLS).
It does this by falsifying its own certificates for each visited domain. Interestingly when infected on a computer which makes use of Internet Explorer, the malicious malware installs hooks to Win32 API certificate. It then checks various functions in order to trick the browser into trusting these forged certificates.
When it lands up on a computer which makes use of Mozilla Firefox, Terdot will add the source certificate to the browser’s trusted CA list. It does this by using genuine tools supplied by Mozilla.