Terdot Resurrects Zeus Banking Trojan, Bigger and Badder Than Before

Marina Kisron Nov 20, 2017

Zeus, king of malware, is back … again. The notorious banking Trojan was first seen in 2010. The following year, its source code leaked, and it has borne many variants since. Researchers at Bitdefender have published a whitepaper on one recent iteration, first observed back in October 2016: Terdot.

Terdot is More Than Meets the Eye

Like Zeus, the Terdot Trojan targets web browsers to steal credentials by injecting HTML code in visited web pages and operating as a man–in–the–middle proxy. But it doesn’t stop there. Terdot also can eavesdrop on social media and email platforms like Facebook, Twitter, YouTube and Gmail. And it could further expand its capabilities, as its automatic update feature allows operators to request the Terdot Trojan download and execute any file.

While Terdot can spread through social engineering (via an infected email running Javascript code as the payload), the main infection vector is via the Sundown exploit kit.

Sundown exploits many vulnerabilities including:

The full kit contains around 20 vulnerabilities at any given time, but changes regularly to stay viable. Sundown doesn’t exploit any new vulnerability published during 2017, showing once again you can’t ignore old vulns if attackers aren’t.

To stay safe, patch or otherwise mitigate the vulnerabilities listed above immediately. To be proactive, make sure that you have intelligence and processes in place to quickly flag which of your vulnerabilities have exploit code available, are actively being exploited in the wild or are packaged in ready–to–use crimeware.

Related Posts

ZNIU: Mobile Malware and Dirty Cow — How a Dirty COW steals your information and your money


Special Report: Protecting Against Like WannaCry and Petya — Learn how threat–centric vulnerability management from Skybox flagged the vulnerabilities used in the global ransomware attacks months previously for immediate remediation. And see how you can enable proactive, focused action in your vulnerability management program

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

Cyberattacks in the COVID-19 era
Read More
3 Critical Flaws with Today’s Vulnerability Management Programs
Read More
The business of cybercrime: malware-as-a-service gains pace
Read More
Skybox Q&A: New VP Frederic Saint-Joigny highlights cybersecurity challenges in EMEA
Read More
Skybox Q&A: New VP of Channel Lance Buchholz on emerging opportunities for cybersecurity partners
Read More
How to mature your cybersecurity program
Read More