Hackers and malware authors have always been a crafty bunch. Specialists among them are skilled at flying under the radar and remaining undetected for extended periods of time. Part of their strategy is to keep their malicious intellectual property theirs. “Open source” malware is by no means stealthy, as everyone from professional to amateur has access to it. Once in a while, certain previously undetected malware strains get leaked in one form or the other. When this happens, cyber-security researchers have a unique insight into how they are created and the function they are meant to carry out. Examples of this Mirai, KINS, Carberp and Zeus. When this happens, it is not only researchers that benefit but other criminals, instantly gaining access to pro-level code.
In a recent whitepaper published by Bitdefender, we see how leaked malware families can be developed into new variants capable of doing more damage to targeted victims.
Terdot based on Zeus banking Trojan
Called “Terdot” by researchers at Bitdefender, the code is built upon the Zeus Trojan, which was leaked in 2011. While it is based off of Zeus, the authors of Terdot have added new features which allow it to operate at a higher capacity than the banking Trojan Zeus. One of the really interesting features of Terdot is that, like the previously seen Netrepser targeted attack, it uses legitimate tools in an attempt to conceal itself. In order to do this, it leverages legitimate applications such as certificate injection tools for nefarious purposes, rather than specialized utilities developed in house.
While technically Terdot is a banking Trojan, Terdot goes far beyond by being able eavesdrop on and modify traffic on most social media and email platforms. Its automatic update capabilities allow it to download and execute any files when requested by its operator, meaning it can develop new capabilities.
Terdot seen in the wild in a targeted attack