Zeus Banking Trojan Spawn: Alive and KickingTerdot Malware Features Venerable Banking Trojan's Code, With Improvements
The Zeus banking Trojan may have had its heyday in the early 2010s. But like its namesake - the god of sky and thunder in ancient Greece and a mythological counterpart to Jupiter, Odin and Thor - the malware may well be immortal.
See Also: What is next-generation AML?
The longevity of Zeus malware is thanks, in part, to the sophisticated and highly effective Trojan having gone "open source" in 2011. That's when the source code for Zeus was leaked for unknown reasons, enabling anyone to "roll their own" banking Trojan, spawning numerous variants.
New variants continue to surface, including Terdot. The multipurpose malware, which has been around since at least mid-2016, is designed to steal online credentials for not only a number of banks, but also webmail providers as well as social networks, according to a report from Romanian anti-virus vendor Bitdefender.
"Terdot is sophisticated like a banker Trojan, but it behaves like an information stealer," Bogdan Botezatu, a senior e-threat analyst at Bitdefender, tells Information Security Media Group. He says the malware includes the ability to launch man-in-the-middle attacks against services used by infected endpoints, steal credentials as well as inject HTML into web pages, for example, to disguise behavior when users have logged into an online banking site. The Zeus variant also carries its own root certificate to bypass bank sites' use of HTTPS.
"Terdot is particularly interesting because it aims for more than wallets and is able to intercept all communications originating from the infected machine, decrypting them in real time and/or modifying data arbitrarily," he says. "It can be used as a cyber espionage tool that is extremely difficult to identify and stop."
Early this year, the independent information security researcher known as Hasherezade spotted Terdot acting as a dropper, referring to a piece of malware that's designed to install other pieces of malware. In this instance, Terdot was installing a version of Zeus, she said.
the payload.dll that I unpacked on the video is Terdot.A/Zloader and it downloads + injects the client32.dll (Zbot)— hasherezade (@hasherezade) January 2, 2017
Since late 2016, some Terdot variants have been distributed via the Neutrino exploit kit, according to the security firm Malwarebytes. Neutrino is also known as the Sundown exploit kit (see Rent the Latest Exploit Toolkit for $80 Per Day).
At least so far, Terdot appears to be a relatively small-scale operation focused on Australian, British, Canadian and U.S. users, Botezatu says. "It is not the prevalence that inspired Bitdefender's team to look into the threat, but its capabilities to remain hidden once it infects a host," he explains
One recently obtained sample of the malware includes code designed to steal different types of credentials, including those of :
- Canadian banks: Banque Nationale , BMO, CIBC, Desjardins, PC Financial, Royal Bank, Scotiabank, Tangerine Bank and the Toronto Dominion Bank;
- Email providers: Including Microsoft's live.com login page, as well as all top-level domains for both Gmail and Yahoo Mail;
- Social networks: Facebook, Twitter, Google Plus, YouTube.
One potential clue to the malware's origin: It's designed to avoid collecting any data from vk.com, which is Russia's largest social media platform, Bitdefender's report notes (see Russian Cybercrime Rule No. 1: Don't Hack Russians).
Spawn of Zeus
Terdot isn't the only malware to have been spawned by Zeus. Since the source code leaked in 2011, it has "served as the inspiration for hundreds of banker Trojans," Bitdefender's Botezatu says.
On Thursday, Zeus Tracker, which tracks Zeus servers and offers related block lists, reported that it was tracking 479 Zeus command-and-control servers, of which 131 were online. It says Zeus binaries get detected on average 43 percent of the time, according to the VirusTotal free malware-scanning service.
Zeus formerly sold for $2,000 to $10,000 on underground forums. When its source code was leaked, some security experts suggested that it was done to throw investigators off the trail of whomever created it or might be using it. The Zeus code was also absorbed into the SpyEye banking Trojan code.
But Zeus wasn't the only malware that's seen its source code get leaked, purposefully or otherwise.
The source code for the Carberp banking Trojan, which sold for up to $40,000, leaked in 2013. While the code remains free and at large, the developers of the malware, which targeted banks in Russia, were not so lucky. All were reportedly arrested by authorities in Russia in 2012.
Last year, meanwhile, Mirai botnet source code was released, enabling anyone to create their own malware for infecting dozens of different types of internet of things devices. The code may have also already spawned IoT-infecting offspring, such as Reaper malware.
Gameover Zeus Heydays
The most-used free source code for creating "DIY malware," however, continues to be Zeus. Besides Terdot, last year, the source code first appeared in Floki Bot - aka flokibot - malware, which is designed to exploit point-of-sale devices. The malware, which first appeared for sale on darknet forums in September 2016, included numerous improvements to the Zeus source code, many of which were intended to help the malicious code evade detection (see Zeus-Derived Malware Continues to Pwn POS Devices).
But the most infamous Zeus variant to date was arguably the Gameover Zeus malware, which reused Zeus components and targeted online bank account credentials. The malware was also used to distribute CryptoLocker ransomware. In May 2014, a law enforcement takedown disrupted the operation, which the FBI estimated infected up to 1 million PCs worldwide and had been used to steal more than $100 million.
FBI Blames Bogachev For Creating Zeus
The FBI has blamed Russian citizen Evgeniy Mikhailovich Bogachev for creating Zeus and Gameover Zeus, and it's offering a reward of up to $3 million for information that leads to his arrest. Bogachev, aka "lucky12345" and "slavik," was first indicted in U.S. federal court in 2012 on charges that include bank fraud, identity theft and hacking.
Bogachev's name resurfaced earlier this year in the wake of the U.S. intelligence establishment warning that Russia had meddled in the 2016 U.S. presidential election. Authorities said they suspected Russian intelligence agencies of using Bogachev's malware to help them infiltrate PCs (see Report: Russian Espionage Piggybacks on Cybercrime).
But Bogachev remains at large, apparently in Russia. Unfortunately for Western law enforcement agencies, Russia doesn't extradite its citizens based on foreign indictments. So long as Bogachev sticks to his native country - and continues his alleged cooperation with Russian agencies - he seems likely to remain free and potentially continuing his alleged malware-writing ways.