Terdot is a banking trojan that can also be used to steal information or as a backdoor. It first appeared in October 2016 but increased in sophistication during the latter half of 2017. It is based on the Zeus banking trojan, using its source code and adding new capabilities. Terdot can operate a local Man-in-the-Middle proxy server to sniff and reroute web traffic or in conjunction with a browser injection function to steal credentials and download and execute files from a remote server. To evade detection, it uses legitimate tools, which are often whitelisted, to perform its functions. Additionally, this trojan uses a Domain Generation Algorithm (DGA) to generate domains for its C2 server, making it more difficult to track, block, and infiltrate.

As of November 2017, Terdot is distributed via spam email and delivered by the Sundown exploit kit, targeting customers of the following Canadian banks: CFinancial, Desjardins, BMO, Royal Bank, the Toronto Dominion Bank, Banque Nationale, Scotiabank, CIBC, and Tangerine Bank. Additionally, it steals login credentials from email and social media accounts such as Gmail, Yahoo Mail, Live.com, Facebook, Twitter, Google+, and YouTube. Researchers at Bitdefender found instructions in the code designed to prevent Terdot from collecting credentials for VK.com, the Russian social networking site. The emails contain only a PDF icon that, if clicked, triggers the JavaScript code that downloads and runs Terdot.

Technical Details

  • Bitdefender provides technical analysis of Terdot here.
Trojan VariantsNJCCICterdot, zeus