Terdot Banking Trojan a Serious Threat

Terdot was first seen in the wild in October 2016, while discovered over a year ago it has managed to fly under the radar. While initially developed to be solely a banking Trojan, Terdot has since grown into a sophisticated hacking tool that can also work as a backdoor and infostealer. One of the interesting features of Terdot is its use legitimate services in order to read HTTPS traffic. For a full technical analysis of Terdot, Bitdefender released a 32-page document detailing the Trojan in depth.

This year will be remembered for many things within the InfoSec community. Ransomware’s popularity, worms becoming popular again and crypto jackers benefitting from cryptocurrencies ever-increasing value, another trend is the use of legitimate services to further the malware authors aims and circumvent newer security measures. Terdot most definitely falls into the last category detailed above.

Terdot’s evolution

Good malware authors specialize in flying under the radar. However, occasionally information is leaked or stolen and released onto the internet. Mirai, KINS, Carberp and Zeus became in a sense “open source” and brought with it a lot of unwanted attention. This often allowed low-level criminals gaining access to high-level code and looking to taking shortcuts to gaining financially. Terdot may have started out in a similar vein but has grown to become a serious threat despite the banking Trojan not being distributed widely. So far the banking Trojan has only been targeting Canadian banks and their customers.

terdot banking trojan

Terdot is based on the Zeus code that was leaked in 2011, however, Terdot is highly customisable and sophisticated. In summary, the Trojan can operate a MITM proxy, steal browsing information such as login credentials and stored credit card information, as well as inject HTML code in visited Web pages. It goes much further than this as it has been customised to include the ability eavesdrop on and modify traffic on most social media and email platforms. Its automatic update capabilities allow it to download and execute any files when requested by its operator, meaning it can develop new capabilities.

The Trojan’s list of regular banking websites mostly includes Canadian institutions such as PCFinancial, Desjardins, BMO, Royal Bank, the Toronto Dominion Bank, Banque Nationale, Scotiabank, CIBC and Tangerine Bank. In line with the new features added the Trojan targets information from e-mail service providers such as Microsoft’s live.com login page,
Yahoo Mail (all top-level domains) and Gmail (all top-level domains). Targeted social networks include Facebook, Twitter, Google Plus and YouTube. Interestingly, the malware is specifically instructed not to gather any data from vk.com, Russia’s largest social media platform.

Initial compromise and distribution

The malware family is distributed via the Sundown exploit kit and through spam email. The email is odd in that it only depicts a PDF icon, once the icon is clicked upon a malicious javascript code is triggered and Terdot is downloaded and run. In order to protect the payload, the Terdot delivery mechanism uses a complex chain of droppers, injections, and downloaders until the Terdot files are downloaded on the disk. To read browser traffic the Trojan relies on injecting itself into the browser processes, where it hooks very low-level network socket operations to direct all connections to its own local proxy server. This server inspects the traffic, forwards the request to the intended target, receives the response, then it sends it back to the victim’s browser, possibly altering it in the process.
Terdot can steal authentication data in one of two ways, either by inspecting the client’s requests or by injecting spyware Javascript code in the responses. Terdot keeps logs of relevant data in HTTP requests and uploads them periodically to the C&C servers.

Most banks, including those targeted by Terdot, have universally adopted HTTPS, the malware includes capabilities to bypass the restrictions imposed by TLS by creating its own Certificate Authority and generating certificates for every visited domain in a classic man-in-the-middle attack. For Internet Explorer, the malware installs hooks to Win32 API certificate checking functions to trick the browser into trusting these forged certificates, and for Mozilla Firefox, Terdot adds the root certificate to the browser’s trusted CA list, using legitimate tools provided by Mozilla.

Abuse of legitimate tools on the rise

Typically, malware that uses concealment techniques injects its code into system processes like explorer.exe traditionally. Increasingly hackers are using legitimate tools to conceal malware. At the start of November researchers at Kaspersky Labs published the discovery of malware that used the trusted application InstallUtil.exe from the Microsoft .NET Framework to conceal itself. The spreading of malicious samples in these instances tend to follow a standard pattern. They basically reach the user in a password-protected archive, and the executable file icons in most cases are chosen especially so that the victim perceives the file as a normal document or photo. Often what is also encountered executable files masquerading as a key generator for common software. To begin with, the malicious content of the generator got inside the %TEMP% folder, where it was run later in the prescribed manner.

Also discovered by researchers at Kaspersky Labs in February 2017, a series of attacks by hackers attacking banks and government institutions using legitimate and reputable applications to infect computers and steal data, all while leaving minimal traces behind. Signs of this type of attack have been found in over 140 hacks in 40 countries around the globe. The common thread in all of these incidents was the lack of any clues in logs and other data storage devices. Attacks like these are often only detectable at the memory and network level only, which would require up-to-the-minute updates with the latest indicators of compromise, such as recently used registry keys and C&C server IPs.

In the examples listed above these types of attacks are been used more often in targeted attacks normally, more often than not, targeting banking institutions. This method of attack is incredibly hard to detect due to its abuse of legitimate tools. It has seen a rise in popularity amongst sophisticated hackers as it also makes attribution nearly impossible.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal