Terdot Resurrects Zeus Banking Trojan, Bigger and Badder Than Before

Marina Kisron Nov 20, 2017

Zeus, king of malware, is back … again. The notorious banking Trojan was first seen in 2010. The following year, its source code leaked, and it has borne many variants since. Researchers at Bitdefender have published a whitepaper on one recent iteration, first observed back in October 2016: Terdot.

Terdot is More Than Meets the Eye

Like Zeus, the Terdot Trojan targets web browsers to steal credentials by injecting HTML code in visited web pages and operating as a man–in–the–middle proxy. But it doesn’t stop there. Terdot also can eavesdrop on social media and email platforms like Facebook, Twitter, YouTube and Gmail. And it could further expand its capabilities, as its automatic update feature allows operators to request the Terdot Trojan download and execute any file.

While Terdot can spread through social engineering (via an infected email running Javascript code as the payload), the main infection vector is via the Sundown exploit kit.

Sundown exploits many vulnerabilities including:

The full kit contains around 20 vulnerabilities at any given time, but changes regularly to stay viable. Sundown doesn’t exploit any new vulnerability published during 2017, showing once again you can’t ignore old vulns if attackers aren’t.

To stay safe, patch or otherwise mitigate the vulnerabilities listed above immediately. To be proactive, make sure that you have intelligence and processes in place to quickly flag which of your vulnerabilities have exploit code available, are actively being exploited in the wild or are packaged in ready–to–use crimeware.

Related Posts

ZNIU: Mobile Malware and Dirty Cow — How a Dirty COW steals your information and your money


Special Report: Protecting Against Like WannaCry and Petya — Learn how threat–centric vulnerability management from Skybox flagged the vulnerabilities used in the global ransomware attacks months previously for immediate remediation. And see how you can enable proactive, focused action in your vulnerability management program

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

What’s new in the Skybox Security version 11.5 release
Read More
Cryptomining is hottest new malware type, research reveals
Read More
Three ways to modernize your OT security programs
Read More
How to manage third-party cyber risk in banking and financial services
Read More
Vulnerability and Threat Trends Report highlights the importance of cyber exposure analysis that goes beyond CVSS rating
Read More
Skybox 2021 Vulnerability and Threat Trends mid-year report
Read More