The recent threat to Cyber Security is undoubtedly the sophisticated form of malware based on the notorious Zeus trojan. Initially designed for stealing banking credentials has now returned with new espionage capabilities which allows it to monitor and modify Facebook and Twitter posts, as well as the ability to eavesdrop on emails.

Active since mid-2016, this Terdot trojan has been highly customized for incorporating man-in-the-middle attacks, inject code into websites and then steal browsing information including login credentials and credit card details.

Also, like the other derivatives of Zeus malware, Terdot also targets Windows systems.

Now, even if the malware is still a banking trojan at heart, particularly targeting the US, Canada, the UK, Germany, and Australia, researchers at Bitdefender have also discovered that Terdot comes with capabilities which go beyond its primary purpose and can be exploited to snoop on almost the entire cyber lives of victims.

Further, this malware might as well target information from popular email service providers and also includes the ability to exploit a victim’s social media accounts, to stealing data and spreading itself.

To this, Bogdan Botezatu, Senior e-Threat Analyst at Bitdefender regarded that, “Social media accounts can be also used as a propagation mechanism once the malware is instructed to post links to downloadable copies of the malware. Additionally, the malware can also steal account login information and cookies, so its operators can hijack the social network account and re-sell access to it, for instance”.

A very interesting thing is noted here. While a number of social media networks are targeted, researchers have noted that the malware is specifically instructed not to gather any data from VK, Russia’s largest social media platform, leading researchers to suggest that those behind Terdot may be operating out of Eastern Europe.

How do this Terdot works?

Terdot begins its attacks with phishing emails. These messages are rigged with a button designed to look like a PDF file, which when clicked will actually execute Javascript code to download the malware file.

Now, to prevent the malicious payload from being uncovered by security software, the malware uses a chain of droppers, injections, and downloaders in order to download the malware to the disk in chunks. Researchers have also noted here that Terdot has also been delivered using the Sundown exploit kit.

Then, once installed, Terdot injects itself into the browser processes in order to read traffic and deliver code. It is also capable of injecting intrusive spyware in order to exfiltrate data and upload it to command and control servers.

This ability to spy on victims and not only steal their banking information but also monitor social networks and emails makes Terdot more dangerous, essentially providing it with the ability to become a powerful espionage tool that due to its modular nature, is difficult to detect and demolish.

Even if the malware isn’t as wide-spread as some of the most notorious form of banking trojans, the fact that Terdot is so capable at stealing credentials and hiding its activity makes it more dangerous, leading towards a new evolution in cybercrime.

Here, Botezatu again regarded that, “The malware’s distribution is far from an epidemic, but what caught our attention is the sophistication of the payload and the malware’s capability to run undetected on already infected computers”.

Right now, the fact remains that Terdot remains only as a banking trojan at its heart, with the most commonly targeted websites being those of Canadian institutions including names like PCFinancial, Desjardins, BMO, Royal Bank, the Toronto Dominion Bank, Banque Nationale, Scotiabank, CIBC and Tangerine Bank.