Terdot is a banking Trojan that is related to Zeus, a well-known banking Trojan. Terdot is designed to collect information from its victims, including credit card information and online login information. Terdot also is designed to inject an HTML code into the websites visited on the infected computer, allowing it to get information and trick computer users into logging into fake versions of websites inadvertently and carries out other well-known tactics. One aspect of Terdot is that it targets well-known online email services, including Gmail and Yahoo. Curiously, Terdot does not target vk.com, the largest social media platform in Russia. This may indicate some espionage application or a targeted attack functionality associated with the Terdot banking Trojan.
Terdot is a Highly Threatening Banking Trojan
Terdot is designed to receive automatic updates, allowing Terdot's operators and creators to update Terdot and upload new data relating to Terdot. Financial institutions and other online platforms take precautions against Trojans like Terdot, taking special steps in safeguarding accounts and credit card information. There are several ways in which this can be done, including a better monitoring of accounts for any activity that is out of the ordinary and informing customers about possible attacks, risks, and other steps that can be taken to prevent attacks like Terdot actively.
How Terdot Carries out Its Attack
Zeus is an infamous Trojan that is responsible for countless attacks on online banking platforms and other websites. After the code for the Zeus Trojan was leaked online in 2011, numerous variants of this Trojan appeared. Terdot is just one of the many Trojans that take advantage of the availability of Zeus' code to carry out attacks. PC security researchers have connected two types of attacks with Terdot; Man-in-the-Middle attacks and phishing. Both are designed to collect the victims' data, using two different approaches. It is important for online platforms to establish preventive measures to defend themselves against these attacks. It is not enough for computer users to have strong security software that is fully up-to-date; protection against threats like Terdot must be taken on both sides.
There are several techniques associated with Terdot that may not have been in the original Zeus framework. These include the use of open source tools for creating fake SSL certificates and obfuscation techniques that allow Terdot to evade some anti-virus programs. Terdot's Man-in-the-Middle attack also is quite sophisticated, filtering all of the victim's online activity in search for data that then is stored and sent to Terdot's operators. Terdot can manipulate the traffic on online email platforms and social media websites, even creating fake messages and posts that appear to be sent by the victim. Terdot is capable of evading detection and removal techniques, which makes it very difficult to remove completely.
The Terdot Attacks are in the Wild
The Return of Zeus Sphinx
The current Zeus Sphinx campaign involves the use of phishing emails. The emails contain malicious documents that appear to be information about government relief programs for the coronavirus pandemic.
Some Terdot activity was noticed last December, but the campaigns kicked into high gear during March 2020. The threat actors behind the virus appear to be taking advantage of people waiting for their government relief.
Much like with the previous campaigns, the team behind Terdot is targeting major banks across Australia, Canada, and the United States.
Hackers ask their victims to fill out a password-protected request form sent to them as a Word document. The email suggests that the recipient will receive relief payments to help them survive at home during the pandemic.
After the user downloads and accesses the document, it will request that they enable macros. If the user allows for macros, the document infects their computer by downloading and running an installer for the Sphinx banking trojan.
Researchers discovered Sphinx could patch explorer.exe and browser processes. However, the virus is unable to repatch itself again should the exploit be patched. As such, the persistence of the virus isn’t an issue. It is unlikely to persist after browsers are updated.
Terdot can download custom files designed to mimic banking websites by using Tables web-based control panels. By doing this, the virus appears more legitimate and is better able to trick users into offering up their banking information. The information and authentication codes the person enters into the fake website is sent to the attacker, who can use it for nefarious purposes.
The Tip of the Iceberg
The new Terdot campaign is just one of many virus campaigns leveraging coronavirus to trick victims and steal their sensitive information. The FBI recently warned that they spotted phishing campaigns using fake government stimulus checks to steal information from targets.
The Internet Crime Complaint Center of the FBI warns users to avoid clicking on links and opening attachments sent by unknown people. The FBI also recommends making sure that the websites you visit are legitimate by entering the link into the address bar of the browser yourself instead of clicking on a hyperlink.
One of the most important things you can do is to never offer up personal and financial information over the phone or through emails.
Terdot, also known as Zeus Sphinx and Zloader, has been inactive for the past few years relatively. However, it appears that the panic surrounding the Coronavirus pandemic has caught the attention of its developers, and they have once again started to propagate it – this time, with the help of COVID-19 themed phishing emails.
The current campaign relies on corrupted documents that arrive as legitimate-looking email attachments. One of the common subjects used in the phishing campaign is 'COVID-19 Relief,' and the attached document goes by the same name 'COVID-19 Relief.doc.' The document is password-protected, but the password to unlock it is included in the email – this is a basic measure that cybercriminals adopt to make the job of automatic malware analysis tools more difficult.
If the document is downloaded and opened, the recipient may be asked to enable the execution of macros to view the protected content – if the prompt is accepted, the Terdot payload may be downloaded and initialized. The targets of the 'COVID-19 Relief' phishing campaign appear to be users of various banks in Australia, Canada and the United States.
Once active, the Terdot Banking Trojan will use its classic technique to collect login credentials from its victims – it will alter the online banking portals they visit and insert fake fields that are used to collect information, as well as bypass two-factor authentication.