Security researchers have discovered a sophisticated new malware based on the malicious Zeus banking trojan that has been revamped with new espionage capabilities designed to target social media accounts. The Terdot trojan has been active since mid 2016 and is capable of stealing browsing information, injecting an HTML code in visited web pages and operating an MITM proxy.
However, researchers found that the highly-customised Trojan can also eavesdrop on and even modify traffic on most social media and email platforms. The malware also has automatic update capabilities that allow it to download and execute any files as requested by its operator. This essentially means the malware can develop new capabilities on the go as well.
Some of the banking websites regularly targeted by Terdot include numerous Canadian institutions such as Royal Bank, Banque Nationale, PCFinancial, Desjardines, BMO and Scotiabank among others.
In addition to its banking targets, it can also target information from popular email service providers including Microsoft's live.com login page, Yahoo Mail and Gmail. Facebook, Twitter, Google Plus and YouTube are also targeted.
"Interestingly, the malware is specifically instructed not to gather any data from vk.com, Russia's largest social media platform," Bitdefender noted.
To evade detection by security software, the malware uses a complex chain of droppers, injections and downloaders that help download the malware in pieces. Terdot has also been delivered in malware campaigns using the Sundown Exploit Kit as well, researchers noted.
Terdot could exploit social media accounts to steal and gather account login information to sell or use the accounts to spread itself by posting fake links to other social media accounts.
Researchers said Terdot's cybercapabilities go "above and beyond" that of a regular banking Trojan.
"Terdot is a complex malware, building upon the legacy of Zeus," researchers said. "Its modular structure, complex injections and careful use of threads make it resilient, while its spyware and remote execution abilities make it extremely intrusive.
"Its focus on harvesting credentials for other services such as social networks and email services could turn it into an extremely powerful cyberespionage tool that is extremely difficult to spot and clean."