Terdot

A banking trojan first observed in October 2016 has grown into a sophisticated hacking tool that works primarily as a banking trojan, but could also be used as an infostealer or backdoor.

Named Terdot, this new malware is not a widespread threat, just yet. For now, the banking trojan has been seen targeting the customers of Canadian banks, distributed via the Sundown exploit kit and through spam email.

While the Sundown exploit kit has been the primary method of distribution, the emails, in particular, are quite strange, as they only depict an image of a PDF icon. If users click this image, this triggers malicious JavaScript code that downloads and runs the Terdot malware.

Terdot email

Due to its limited targeting, Terdot's campaigns have gone largely unreported, until last week when Bitdefender analysts published a 32-page report on the trojan's inner workings.

Terdot is based on the Zeus banking trojan

The trojan is not a unique piece of coding, but it is based on the source code of the infamous Zeus banking trojan that was leaked online in 2011.

There are many other banking trojans active today, but the group behind Terdot was not happy just with Zeus' standard features. Instead, they expanded the codebase and added new attack capabilities.

The things that Terdot borrowed from Zeus were the mechanism to inject itself into browser processes and its configuration system that allows operators to control what pages Terdot targets and in what way.

Everything else is new, and there's a lot of it. According to Bitdefender, Terdot can also operate a local MitM proxy server to sniff and reroute web traffic, can target more than just banking sites, and can also download and execute files from a remote server.

To perform most of these operations, Terdot doesn't rely on custom code that may trigger alerts with security software, but uses legitimate tools, which are often whitelisted. The use of legitimate system tools for malicious operations has been a trend all this year [1, 2].

Terdot targets Canadian banks and social media accounts

Bitdefender says it detected Terdot targeting the following Canadian banks: CFinancial, Desjardins, BMO, Royal Bank,  the Toronto  Dominion Bank, Banque Nationale, Scotiabank, CIBC, and Tangerine Bank.

But the trojan also seeks login credentials from all sorts of sites, such as Live.com, Yahoo Mail, Gmail, Facebook, Twitter, Google+, and YouTube. Bitdefender says it found code that specifically instructs the trojan to avoid collecting credentials for VK.com, Russia's biggest social network, which speaks volumes about the whereabouts of Terdot's authors.

Bitdefender's report also highlights that Terdot is not the work of casual coders. The trojan comes with advanced anti-VM evasion systems, is downloaded in multiple components to avoid detection, and uses a Domain Generation Algorithm (DGA) to generate unique domains for its C&C server, making it harder to take down.

Probably the most advanced Terdot component is its MitM proxy. This tool hooks into the operating system's networking sockets to hijack all traffic and can even read HTTPS connections because it uses a legitimate executable part of Mozilla's NSS Tools package to add its own certificate to the OS certificate store and read SSL traffic.

The MitM proxy is used in conjunction with the browser injection mechanism to steal credentials. For sites not supported by the browser injection mechanism, Terdot reads raw network requests to extract authentication credentials or inserts malicious code in network requests to make sure it loads malicious code that logs the login information.

Terdot is not the only relatively new banking trojan that came to light this past two weeks. IBM's X-Force team previously discovered the IcedID banking trojan.