Terdot Trojan Steals Banking, Email, & Social Media Credentials
The latest updates to the Terdot trojan reveal it's a highly customized and sophisticated malware that does more than just steal bank account credentials.
The latter half of 2017 has seen a resurgence in banking trojan updates, with strains like Emotet, TrickBot, and Ursnif each experimenting with a variety of new delivery, evasion, and worming capabilities. A new trojan called IcedID was discovered, too. It's perhaps little surprise, then, that Terdot, a Zeus-inspired banking trojan that was first spotted in October 2016, has been receiving signficant updates, as well.
Analysis from Bitdefender concludes that, while technically a banking trojan, Terdot's capabilities now go far beyond stealing credit card information and banking credentials. It can also intercept and modify a wide variety of browsing traffic, including stealing information from victims' email and social media accounts.
How Terdot is infecting victims
According to researchers, Terdot is primarily being distributed via the Sundown exploit kit, which infects vulnerable visitors to compromised websites. Samples have also been delivered via phishing emails with a button disguised to look like a PDF attachment.
How Terdot steals information
Once installed on an infected machine, Terdot conducts man-in-the-middle attacks by injecting itself into browser processes and intercepting all web traffic, directing it through its own local proxy server. It inspects the traffic, collects sensitive data, then forwards it on to the intended site and back to the browser without the user being aware anything has happened.
By doing this, not only can Terdot collect browsing information such as login credentials and stored credit card info, it can also inject HTML code in visited web pages, adding fake forms and messaging in another attempt to steal credentials.
At the moment, Terdot is primarily targeting information from Canadian banking institutions, though it's also actively collecting credentials for the following email and social media accounts:
Login information and other sensitive data for each of these accounts is logged and trasmitted back to the attacker's command and control (C2) server.
Terdot has a variety of answers for bypassing security features and evading detection.
Getting around HTTPS: Terdot bypasses Transport Layer Security (TLS) by forging its own certificates for every visited domain. It installs hooks to Win32 API certificate-checking functions to trick Internet Explorer into trusting its forged certificates, and it adds its root certificate to Firefox's trusted Certificate Authority list using an executable that's part of Mozilla's legitimate NSS Tools package.
Escalating privileges: Once on a machine, Terdot also checks to see if it has the necessary privilege to create and edit Registry keys. If not, it attempts to launch itself using Windows Management Instrumentation command line (wmic.exe), which prompts a user access control prompt (UAC). If the user allows it to proceed, the malware then runs in an elevated context.
Gaining persistence: Terdot hides autorun entries in the Registry that enable it to check for and download new updates of itself regularly. Not only does that enable the authors behind Terdot to add capabilities, it also makes removal of the malware more difficult.
Blocking Terdot with Barkly
As with any sophisticated trojan, the best way of dealing with Terdot is to prevent it from fully executing in the first place. That's the only way to avoid data loss not to mention the disruption that comes with trying to fully remove a stealthy and incredibly persistent piece of malware.
Not only does Barkly block the Terdot payload, it also blocks the loader, preventing the payload from ever touching the system.
Barkly blocking the Terdot payload
Banking trojan activity appears to be heating up, with the authors behind these threats taking cues from one another and adding new, experimental capabilities at a worrying rate. Find out how Barkly can protect your organization from these and other rapidly evolving attacks. See a demo of our protection in action.