Terdot
Posted: November 20, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 853 |
| First Seen: | September 8, 2021 |
|---|---|
| Last Seen: | May 23, 2023 |
| OS(es) Affected: | Windows |
Terdot is a banking Trojan that collects information related to online login combinations for banking and social media accounts especially. As a persistent background threat, Terdot may conduct activities with symptoms that are limited or difficult to recognize, such as spoofing content in your Web browser or intercepting network communications. Always have anti-malware protection ready and updated for detecting and deleting Terdot automatically, and be watchful for indicators of compromise in any Web accounts.
The Still-Sounding Echoes of the God of Lightning
The first attacks of Keylogger Zeus are many years old, but most aspects of its programming remain viable for cybercrooks in need of financial information. A specific, year-old variant of that threat, a spyware program referred to as Terdot, even has become the recent recipient of noteworthy updates to its payload particularly. This new build of Terdot includes what malware experts are deducing as extremely comprehensive login-collecting capabilities that include both generalized and highly-focused attacks against the user's Web accounts.
The people who manage Terdot's campaign use two ways of circulating this banking Trojan: a website-hosted threat called the SunDown Exploit Kit, and imitations of PDF documents attached to spam e-mails. By abusing default, script-based vulnerabilities or tricking the user into launching the Trojan downloader accidentally, they acquire access to the PC for installing Terdot. Terdot also includes very configurable downloading features in its payload, which it could use for self-patching, as well as dropping separate threats onto the computer.
The majority of Terdot's payload dedicates itself to collecting information by intercepting it via the conventional 'Man-in-the-Middle' strategy, which logs any network-transferred info the user enters before passing it on towards the relevant parties, such as a third-party website. Terdot also leverages this feature for conducting sophisticated phishing attacks that can redirect the victim to a fake site that imitates the login pages of domains such as an online banking service. Malware experts confirm that Terdot includes certificate-imitating features, which could add an extra layer of authenticity to these tactic sites.
Filtering Trojans out of the Customer Waiting Line
Only some of Terdot's code is original, but its deriving partially from the Keylogger Zeus isn't an indication that its administrators are lax in their work ethic. Terdot's latest version has significant updates and includes features, such as memory-hooking, that can allow it to run in the background without alerting the user and hamper the detection attempts of standard security solutions. Although Terdot's MitM attacks intercept all network traffic, Terdot also shows a focus on specific website types, including e-mail services and social media (such as Gmail). However, the Trojan ignores any vulnerable data from the VK.com domain, raising some questions about the threat's possible links to Russian threat actors.
The EKs that install Terdot may be taking advantage of hosting on compromised advertising networks, hacked websites or corrupted websites that pretend to offer content such as TV shows or games. Since the SunDown Exploit Kit depends on preexisting vulnerabilities in your software, users can defend themselves by updating all programs promptly and having anti-malware products block these drive-by-downloads by default. Anti-malware solutions also should identify Trojan downloaders using fake PDF iconography or, in a post-infection situation, delete Terdot from within a secure environment, like Safe Mode.
Terdot is a Trojan that offers far more diversity to its data-thieving techniques than is possible with any 'real life' burglary or pickpocket attempt. When spyware includes tactics advanced sufficiently, your best strategy is preventing it from unloading them at all by stopping that first infection from happening.
03.31.20 Update
Old malware families often tend to resurface when their authors find a new way to propagate them reliably. Such is the case of Terdot, a banking Trojan that had seen little use in the past three years. The threat, also called Zloader or Zeus Sphinx, is once again being spread online. Its targets are likely to be users in Canada, the United States and Australia. The recipients may receive a phishing email that is titled 'COVID-19 Relief' – clearly, the authors of the Terdot have decided to piggyback on the popularity of the Coronavirus pandemic and try to profit out of it. The phishing email contains a compromised document that can execute a macro script meant to deploy and run a copy of Terdot.
Recipients of the email are told that they are entitled to compensation from the COVID-19 relief fun, and they have to fill in the attached form to confirm their request. Since millions of people are likely to experience financial difficulties because of the pandemic, it is not a surprise that the authors of the Terdot Trojan have adopted such a strategy to infect their targets. If the document attachment is opened, it may execute the macro script responsible for the initialization of Terdot.
This banking Trojan is able to keep track of active Web browser tabs, and it will check if the user is using an online banking portal that the Trojan supports regularly. If such an event occurs, the Trojan may alter the page so that it includes fake forms that submit data to the attackers – these forms may ask for personal and payment information that could be used to execute fraudulent transactions.
The 'COVID-19 Relief' phishing scam is not the only Coronavirus-themed fraud running online. The 'Get Corona Safety Mask' Scam is another con that cybercriminals use to propagate harmful applications.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.