Zeus, king of malware, is back … again. The notorious banking Trojan was first seen in 2010. The following year, its source code leaked, and it has borne many variants since. Researchers at Bitdefender have published a whitepaper on one recent iteration, first observed back in October 2016: Terdot.

Terdot is More Than Meets the Eye

Like Zeus, the Terdot Trojan targets web browsers to steal credentials by injecting HTML code in visited web pages and operating as a man–in–the–middle proxy. But it doesn’t stop there. Terdot also can eavesdrop on social media and email platforms like Facebook, Twitter, YouTube and Gmail. And it could further expand its capabilities, as its automatic update feature allows operators to request the Terdot Trojan download and execute any file.

While Terdot can spread through social engineering (via an infected email running Javascript code as the payload), the main infection vector is via the Sundown exploit kit.

Sundown exploits many vulnerabilities including:

The full kit contains around 20 vulnerabilities at any given time, but changes regularly to stay viable. Sundown doesn’t exploit any new vulnerability published during 2017, showing once again you can’t ignore old vulns if attackers aren’t.

To stay safe, patch or otherwise mitigate the vulnerabilities listed above immediately. To be proactive, make sure that you have intelligence and processes in place to quickly flag which of your vulnerabilities have exploit code available, are actively being exploited in the wild or are packaged in ready–to–use crimeware.

Related Posts

ZNIU: Mobile Malware and Dirty Cow — How a Dirty COW steals your information and your money


Special Report: Protecting Against Like WannaCry and Petya — Learn how threat–centric vulnerability management from Skybox flagged the vulnerabilities used in the global ransomware attacks months previously for immediate remediation. And see how you can enable proactive, focused action in your vulnerability management program