We usually advise people that have fallen victim to banker Trojans to change all their passwords, especially the ones that are related to their financial sites and apps. Besides the dangers of re-used passwords, there are other reasons why this is important. This advice is especially applicable to a Trojan making the rounds called Terdot.
Our friends at Bitdefender wrote a white paper about the Terdot Trojan that shows how this offspring of Zeus can not only monitor and modify your Facebook, Twitter, YouTube, and Google Plus traffic, but also spy on webmail platforms like Microsoft’s live.com login page, Yahoo Mail, and Gmail.
Hasherezade already saw this coming at the start of this year when she warned us that Terdot spies and also modifies the displayed content by “WebInjects” and “WebFakes.”
The Terdot Trojan is both spread by email, using infected attachments, as well as by the Sundown exploit kit. It uses a complex method to download and activate the malware on the targeted system, most likely to throw security researchers off the scent. Once established, it uses its own security certificate to bypass TLS restrictions and set up a man-in-the-middle (MitM) proxy.
This Terdot variant only targets Windows systems that don’t run a Russian operating system. Its main targets are in the US, Canada, the UK, Germany, and Australia. The added functionality for social media might be used in different ways. Bogdan Botezatu, Senior e-Threat Analyst at Bitdefender, told ZDNet:
“Social media accounts can be also used as a propagation mechanism once the malware is instructed to post links to downloadable copies of the malware. Additionally, the malware can also steal account login information and cookies, so its operators can hijack the social network account and re-sell access to it, for instance,”
Malwarebytes detects the installers as Trojan.Terdot:
And blocks the download URLs:
Stay safe out there and get protected.