Security researchers have discovered a new sophisticated version of the infamous Zeus Trojan, and this version can steal more than just bank account details.
Terdot, this variation of Zeus Trojan, has been around since mid-2016 and was back then designed to operate as a man-in-the-middle (MiTM) proxy, stealing browsing such as stored credit card and login credentials.
Want to stay up to date with security news? Please subscribe to our LinkedIN group , Like our Facebook page, or join our FREE Newsletter!
Do you have an idea to improve Security News? Email us: email@example.com
Researchers at Bitdefender discovered that Zeus has new capabilities such as leveraging open-source tools for spoofing SSL certificates in order to access social media accounts and post on behalf of the infected user.
Tredot can target user accounts on social media: it can hack Facebook, Youtube, Google Plus, and email providers including Google, Microsoft, and Yahoo.
Here is an expert of Bitdefender’s research paper:
“Particularly interesting about Terdot, though, is that, just like the Netrepser targeted attack, it leverages legitimate applications such as certificate injection tools for nefarious purposes, rather than specialized utilities developed in house. Another discovery worth mentioning is that, even if Terdot is technically a Banker Trojan, its capabilities go way beyond its primary purpose: it can also eavesdrop on and modify traffic on most social media and email platforms. Its automatic update capabilities allow it to download and execute any files when requested by its operator, meaning it can develop new capabilities.”
The infection process
The trojan is mainly distributed through websites infected with the SunDown Exploit Kit, but it could also arrive in malicious emails with a fake PDF icon button.
In order to avoid detection, the trojan uses a complex network of downloaders to allow the download of Terdot in pieces.
Terdot can bypass TLS enforced restrictions by generating its own Certification Authority (CA) and generating certificates for every domain the victim visits.
Note About Resources
Listing resources is a new initiative that we are trying at SecurityNews.io. If you have any feedback, please share with Mohamad. We only grow as a community because of YOU.