Terdot Banking Trojan
Terdot is an advanced banking trojan that can collect a variety of information from both the browser and machine itself.
Distributed by the Sundown exploit kit, it uses a Man-in-the-Middle (MitM) proxy to inspect and redirect traffic. This sophisticated attack hijacks HTTPS traffic, placing itself in a system’s network sockets using a legitimate executable. This means it can add its own certificates to a system’s certificate store, enabling collection and viewing of SSL-encrypted traffic.
Terdot can be used to steal information entered into the browser or stored in cookies, and can imitate social media accounts. It is also able to download and execute files from a remote server.
Bitdefender researchers said that samples show the trojan targeting users of various web services such as Yahoo Mail and Gmail.
Terdot contains anti-detection and removal capabilities, using genuine tools to operate. Upon delivery several security countermeasures are downloaded, including a domain generation algorithm (DGA) which provides unique domains for command & control (C2) communications. It can also forge domain certificates, bypassing transport layer security (TLS) restrictions.
Terdot is not the only relatively new banking trojan that came to light this past two weeks. IBM’s X-Force team previously discovered the IcedID banking trojan.
Affected Platforms: Microsoft Windows – All Versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.