Terdot is back: Zeus virus spin-off now steals social media data

Updated version of Terdot trojan emerged

Terdot virus is back

Spotted in the middle of 2016 Terdot virus,[1] a variant of infamous Zeus Trojan,[2] is back. Even though it started as a banking trojan, now it returned with a new strategy. The trojan was noticed stealing social media and email data. This feature makes trojan standout from other cyber threats.

The recently emerged updated version of Terdot is designed to steal information from Facebook, Twitter, Google Plus and YouTube. The virus might also use social networks to spread further by posting malicious links to download malware on the devices.

However, the interesting fact is that it does not target VKontakte – the biggest social media platform in Russia. It allows assuming that authors of the malware might be located in Russia or Eastern Europe.[3]

Additionally, this cyber threat might monitor email activity. Malware reported of targeting email services, such as Microsoft live.com login page, Yahoo Mail, and Gmail.

The features of the Terdot virus

Terdot started as a banking trojan that used man-in-the-middle attacks to compromise websites and steal victim’s credentials. The banking malware mostly targeted Canada,[4] the United States, the United Kingdom, Germany, and Australia.

  • PCFinancial,
  • Desjardins,
  • BMO,
  • Royal Bank,
  • the Toronto Dominion bank,
  • Banque Nationale, Scotiabank,
  • CIBC and Tangerine Bank.

The majority of phishing emails are spread with the help of Sundown Exploit Kit. The malicious emails include fake PDF document or icon that hides JavaScript code. As soon as users click it, they activate malware download process. The advanced payload delivery mechanism is created to protect it from obstacles or failures. Thus, the malicious program is designed to succeed and hard to remove.

The trojan also injects itself into web browser processes. It mostly targets Mozilla Firefox and Internet Explorer browsers. When it settles in the browsers and injects malicious codes, it starts data tracking activities to steal sensitive information. All the stolen data is sent to Command & Control server.

The complexity of the trojan might warn about new era of data-stealing trojans

Security experts warn that Terdot malware has automatic update feature that allows developers to execute new tasks using the same trojan. It means that the program might be updated anytime and become more destructive.

Financial institutions and banks are advised to prepare for better customers' accounts monitoring in order to spot suspicious or unusual activities that might be caused by cyber criminals. Banking trojans can steal credentials silently and empty bank accounts without being noticed.

To protect customers from losing their money, targeted companies should give necessary information and support that would help people to avoid financial loss.

The trojan uses a two-vector attack by sending phishing emails and using man-in-the-middle proxy. While companies should obtain multivector detection solution system[5] to increase the security; users should not only check the compromised websites that include fake security certificates but learn how to detect phishing emails as well.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

Alice Woods is the News Editor at 2-spyware. She has been sharing her knowledge and research data with 2spyware readers since 2014.

Contact Alice Woods
About the company Esolutions