Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Zeus Banking Trojan Spawn: Alive and Kicking

Terdot Malware Features Venerable Banking Trojan's Code, With Improvements
Zeus Banking Trojan Spawn: Alive and Kicking
"Otricoli Zeus," now in the Vatican Museum. (Source: Wikimedia Commons)

The Zeus banking Trojan may have had its heyday in the early 2010s. But like its namesake - the god of sky and thunder in ancient Greece and a mythological counterpart to Jupiter, Odin and Thor - the malware may well be immortal.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

The longevity of Zeus malware is thanks, in part, to the sophisticated and highly effective Trojan having gone "open source" in 2011. That's when the source code for Zeus was leaked for unknown reasons, enabling anyone to "roll their own" banking Trojan, spawning numerous variants.

New variants continue to surface, including Terdot. The multipurpose malware, which has been around since at least mid-2016, is designed to steal online credentials for not only a number of banks, but also webmail providers as well as social networks, according to a report from Romanian anti-virus vendor Bitdefender.

"Terdot is sophisticated like a banker Trojan, but it behaves like an information stealer," Bogdan Botezatu, a senior e-threat analyst at Bitdefender, tells Information Security Media Group. He says the malware includes the ability to launch man-in-the-middle attacks against services used by infected endpoints, steal credentials as well as inject HTML into web pages, for example, to disguise behavior when users have logged into an online banking site. The Zeus variant also carries its own root certificate to bypass bank sites' use of HTTPS.

"Terdot is particularly interesting because it aims for more than wallets and is able to intercept all communications originating from the infected machine, decrypting them in real time and/or modifying data arbitrarily," he says. "It can be used as a cyber espionage tool that is extremely difficult to identify and stop."

Early this year, the independent information security researcher known as Hasherezade spotted Terdot acting as a dropper, referring to a piece of malware that's designed to install other pieces of malware. In this instance, Terdot was installing a version of Zeus, she said.

Since late 2016, some Terdot variants have been distributed via the Neutrino exploit kit, according to the security firm Malwarebytes. Neutrino is also known as the Sundown exploit kit (see Rent the Latest Exploit Toolkit for $80 Per Day).

Highly Stealthy

At least so far, Terdot appears to be a relatively small-scale operation focused on Australian, British, Canadian and U.S. users, Botezatu says. "It is not the prevalence that inspired Bitdefender's team to look into the threat, but its capabilities to remain hidden once it infects a host," he explains

One recently obtained sample of the malware includes code designed to steal different types of credentials, including those of :

  • Canadian banks: Banque Nationale , BMO, CIBC, Desjardins, PC Financial, Royal Bank, Scotiabank, Tangerine Bank and the Toronto Dominion Bank;
  • Email providers: Including Microsoft's live.com login page, as well as all top-level domains for both Gmail and Yahoo Mail;
  • Social networks: Facebook, Twitter, Google Plus, YouTube.

One potential clue to the malware's origin: It's designed to avoid collecting any data from vk.com, which is Russia's largest social media platform, Bitdefender's report notes (see Russian Cybercrime Rule No. 1: Don't Hack Russians).

Terdot includes "man in the browser" web injection capabilities. Some variants include web injections for spoofing sessions at the Santander bank website. (Source: Malwarebytes)

Spawn of Zeus

Terdot isn't the only malware to have been spawned by Zeus. Since the source code leaked in 2011, it has "served as the inspiration for hundreds of banker Trojans," Bitdefender's Botezatu says.

The FBI's "cyber most wanted" poster for Evgeniy M. Bogachev, a Russian citizen who's accused of creating Zeus and Gameover Zeus.

On Thursday, Zeus Tracker, which tracks Zeus servers and offers related block lists, reported that it was tracking 479 Zeus command-and-control servers, of which 131 were online. It says Zeus binaries get detected on average 43 percent of the time, according to the VirusTotal free malware-scanning service.

Zeus formerly sold for $2,000 to $10,000 on underground forums. When its source code was leaked, some security experts suggested that it was done to throw investigators off the trail of whomever created it or might be using it. The Zeus code was also absorbed into the SpyEye banking Trojan code.

But Zeus wasn't the only malware that's seen its source code get leaked, purposefully or otherwise.

The source code for the Carberp banking Trojan, which sold for up to $40,000, leaked in 2013. While the code remains free and at large, the developers of the malware, which targeted banks in Russia, were not so lucky. All were reportedly arrested by authorities in Russia in 2012.

Last year, meanwhile, Mirai botnet source code was released, enabling anyone to create their own malware for infecting dozens of different types of internet of things devices. The code may have also already spawned IoT-infecting offspring, such as Reaper malware.

Gameover Zeus Heydays

The most-used free source code for creating "DIY malware," however, continues to be Zeus. Besides Terdot, last year, the source code first appeared in Floki Bot - aka flokibot - malware, which is designed to exploit point-of-sale devices. The malware, which first appeared for sale on darknet forums in September 2016, included numerous improvements to the Zeus source code, many of which were intended to help the malicious code evade detection (see Zeus-Derived Malware Continues to Pwn POS Devices).

But the most infamous Zeus variant to date was arguably the Gameover Zeus malware, which reused Zeus components and targeted online bank account credentials. The malware was also used to distribute CryptoLocker ransomware. In May 2014, a law enforcement takedown disrupted the operation, which the FBI estimated infected up to 1 million PCs worldwide and had been used to steal more than $100 million.

FBI Blames Bogachev For Creating Zeus

Beyond allegedly enjoying running a banking Trojan botnet empire, Evgeniy M. Bogachev appears to like cats. (Photo: FBI)

The FBI has blamed Russian citizen Evgeniy Mikhailovich Bogachev for creating Zeus and Gameover Zeus, and it's offering a reward of up to $3 million for information that leads to his arrest. Bogachev, aka "lucky12345" and "slavik," was first indicted in U.S. federal court in 2012 on charges that include bank fraud, identity theft and hacking.

Bogachev's name resurfaced earlier this year in the wake of the U.S. intelligence establishment warning that Russia had meddled in the 2016 U.S. presidential election. Authorities said they suspected Russian intelligence agencies of using Bogachev's malware to help them infiltrate PCs (see Report: Russian Espionage Piggybacks on Cybercrime).

But Bogachev remains at large, apparently in Russia. Unfortunately for Western law enforcement agencies, Russia doesn't extradite its citizens based on foreign indictments. So long as Bogachev sticks to his native country - and continues his alleged cooperation with Russian agencies - he seems likely to remain free and potentially continuing his alleged malware-writing ways.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.