Waiting for Terdot, a sneaky banking Trojan.

Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:23] I'd like to tell you a little bit about our sponsor, Cybrary, the people who know how to empower your security team. Cybrary is the learning and assessment tool of choice for IT and security teams at today's top companies. They deliver the kind of hands-on training fifty-five percent of enterprises say is the most important qualification when they're hiring. And once you hire, you want to retain. And Cybrary helps there too, because seventy percent of employees say professional development is a big reason for staying on board. Visit www.cybrary.it/teams, and see what they can do for your organization. Not only is it effective, it's affordable too - costing just about a twelfth of what legacy approaches to training would set you back. So contact Cybrary for a demo. That's www.cybrary.it/teams, and tell them the CyberWire sent you.

Bogdan Botezatu: [00:01:20] We were analyzing something different, a web proxy component that's usually associated with advanced persistent threats with very targeted attacks.

Dave Bittner: [00:01:28] That's Bogdan Botezatu, a senior e-threat analyst at Bitdefender.

Bogdan Botezatu: [00:01:33] And while looking in the library for that web proxy, we realized that we had some samples that were not part of an advanced targeted attack, but rather of a commercial operation. So we started looking into this piece of malware powered by the web proxy, and we realized it was a Banker Trojan that could be used for cyber espionage purposes. This happened somewhere in January 2017. It took us a while to analyze, to go through its code, and we eventually came up with this.

Dave Bittner: [00:02:07] Why don't you start off by giving us a description of what does Terdot do?

Bogdan Botezatu: [00:02:12] Terdot is a conventional Banker Trojan. It's a piece of malware that can inject different other forms in your banking logins or can seize information about your account in real time. Or, even worse, for some banks it can hijack banking transactions by modifying the amounts of money and the destination accounts for those transactions.

Bogdan Botezatu: [00:02:41] Because it lives in your browser, it doesn't really require special permissions from the bank, because the bank would see that activity as originating on your behalf. And because it also sits in the middle of the transaction, it can also manipulate the bank's responses to trick the user into thinking that the transaction went as planned, while in fact the transaction had been hijacked to a different account.

Dave Bittner: [00:03:09] So Terdot is based on the 2011 Zeus source code. Is that correct?

Bogdan Botezatu: [00:03:14] Yes. Zeus was a very powerful piece of malware at that time. It has served as inspiration for a number of malware families like Carberp, KINS, now Terdot, and most likely IcedID, the latest banking Trojan that has made the news a couple of days ago. By open-sourcing this code, the Zeus original developers have triggered an entire chain of infections that still makes victims up until now.

Dave Bittner: [00:03:49] And one of the things that makes Terdot so powerful is that, beyond just being a Banker Trojan, it can get its hooks into a lot of other things.

Bogdan Botezatu: [00:03:58] We can understand the Banker part - everybody is after your money - but it's highly unusual for a piece of Banker Trojan to go after personal information. Usually, this kind of Banking Trojan looks for stuff that can be monetized rather than for information that can be used for other purposes. It was highly surprising for us to see that Terdot goes after social logins or after email logins. Just by inspecting the traffic between us and their inboxes, Terdot can actually get its hands on our Gmail logins or our Microsoft Live logins.

Bogdan Botezatu: [00:04:40] This might actually have a reasonable explanation if we think that a couple of banks, for instance, use two-factor authentication in the form of tokens sent via email. So when you need to confirm a transaction, you get an email from the bank with a special number that you can only use once. After the transaction completes, that token gets voided and you need to require a new token to carry out a new transaction. But, then again, this feature can be abused for more than banking transactions. Basically somebody could have unrestricted access to our email logins and use whatever information they find there for different purposes.

Dave Bittner: [00:05:24] Yeah, it's interesting you all noted in your research that it's specifically instructed not to gather data from vk[.]com, which of course is a large Russian social media platform.

Bogdan Botezatu: [00:05:34] Exactly. Most of these Banker Trojans, especially those that build on the legacy of Zeus, tend to avoid the former Soviet Union space. This might be due to the fact that its operators lived there and would rather not stir any kind of conflict that could have them prosecuted in the region.

Bogdan Botezatu: [00:05:58] To give you just an example of what could happen if they if they attacked their own countries, I would like to mention the case of Carberp, another very, very interesting Banker Trojan whose operators have been arrested after inadvertently attacking an Ukrainian bank. So this team was residing in Ukraine and by mistake they attacked a Ukrainian bank, which automatically brought them into the local authorities' spotlight. So they were arrested in less than five days after the attack.

Dave Bittner: [00:06:32] I see. So let's walk through how this Terdot works. How does someone initially get compromised by it?

Bogdan Botezatu: [00:06:41] There are two attack avenues - one which is aimed at the general public, and one that looks like it's aimed at professionals and companies. For the general public, there's this infection with an exploit kit. Basically a user, a potential victim, doesn't have to interact with a spam message, but rather to stumble upon an infected web page that assesses the security level of their browser and the third-party software in order to plant an exploit. That exploit would make the browser crash, for instance, and when it recovers, the browser will be inadvertently trigger the execution of Terdot in its memory space. That would result in an infection, and from there on, Terdot will try to subvert bank transactions and log critical information. That would be the attack avenue for a regular consumer.

Bogdan Botezatu: [00:07:40] For companies, we presume that the infection happens through a rigged PDF file that comes as an attachment to spam emails. When it is opened, it triggers the execution of Terdot.

Dave Bittner: [00:07:54] So, in both of those situations, is there any indication that anything's going on? Does the user have to, you know, click through or give it any permission to start running?

Bogdan Botezatu: [00:08:04] No, because it's - both attack avenues are based on an exploit inside the browser, the user will only see that their browser has crashed and that it has it recovered back. But that's not enough evidence to presume that you are infected or that something has happened, something bad has actually happened on your computer, because we all have some some bad times when our browser crashes out of the blue and it just recovers. So for people who are less tech-savvy, this would not be an indication that their browser has been - that their computer has been compromised.

Bogdan Botezatu: [00:08:43] And just like any other Banking Trojan, Terdot is extremely sneaky and very, very difficult to isolate and contain. It has multiple mechanisms that protect it against antivirus scanning, for instance, or against shutdowns. Whenever it's shut down, it has some sort of a watchdog process that brings it back to life. It is very difficult for an untrained user to tell an infection and stop it.

Dave Bittner: [00:09:14] Well, let's go through that. Can you highlight some of the ways that Terdot runs once it's been installed in your system.

Bogdan Botezatu: [00:09:21] Yes. Terdot, once it has been installed on the system, will inject itself into all browser processes. It makes sure that it runs in Windows Internet Explorer, in Firefox, in Chrome, and any other browser that the user might have on the system. It hooks the browser processes so everything that the user types in the browser, or gets displayed in the browser, actually goes through that web proxy it sets up earlier in the infection stage. I think that that web proxy component is actually the most important part of the malware, because it's that component that helps the malware decrypt SSL-encrypted messages.

Bogdan Botezatu: [00:10:08] So, before it starts modifying anything, it just creates a universal certificate authority so it can negotiate digital certificates on behalf of the banks it targets or social networks it targets. We believe that we are talking to Facebook, while in fact we are talking to the web proxy which is talking to Facebook on our behalf. So that web proxy becomes the man-in-the-middle between us and the page we will try to visit, and everything - even encrypted information - flows through that web proxy.

Bogdan Botezatu: [00:10:45] That web proxy also logs critical information that it has been instructed to look after, like usernames, passwords, cookies, fragments of conversation, and of course banking transactions, and it stacks them into a log file. That log file will be further sent to the attackers at a specific interval of time.

Dave Bittner: [00:11:08] Take us through what's going on in terms of the command-and-control server.

Bogdan Botezatu: [00:11:12] The command-and-control server is still a mystery because we don't have access to that component yet. We can see what's happening in the userspace, what the payload is trying to communicate to the command-and-control server, and we are trying to understand how the control server works based via that information. We're still trying to get our hands on a copy of a command-and-control server, but this requires extensive collaboration with law enforcement. So we are trying to seize one to see exactly what the communication patterns are, how we can intercept this communication, and how we can notify potential victims that have connected to the command-and-control server. But this is - these kinds of operations usually take a lot of time.

Dave Bittner: [00:12:01] Well, let's talk about persistence. How does Terdot manage to stay on your system through restarts?

Bogdan Botezatu: [00:12:07] Terdot employs a couple of very advanced tricks to survive a restart. Usually it adds itself to the registry keys to make sure that it boots along with your operating system. And it also creates some scheduled jobs that are responsible both for starting watchdog processes and, of course, are responsible for attempting to update the malware to the latest version.

Bogdan Botezatu: [00:12:35] Every time the command-and-control server communicates to the malware that there's a new version, it undergoes a serious scrutiny to make sure that it's actually installing another version of the malware as designed by its creator, and not a spoofed version that could hijack the Terdot malware for a different cyber crime gang. So the competition in this industry is very harsh, and whoever operates and builds Terdot has made sure that it always stays in control of the malware.

Bogdan Botezatu: [00:13:11] And persistence is also assured by the fact that Terdot is injected in all DLLs running on the system, so even if a process gets killed by the antivirus or by the user, different other processes running instances of Terdot will continue in the surveillance and monitoring. This is very important for a cyber espionage tool, because in those moments where it's not active, the user might have exchanged crucial information that could have escaped the attackers. So ensuring persistence and making sure that you're always running on the computer will also increase the odds that the malware is intercepting interesting information that can be actually monetized by the operators.

Dave Bittner: [00:14:00] Do you have a sense for how widespread Terdot is so far?

Bogdan Botezatu: [00:14:04] It's not very widely spread. Terdot is just recovering from a period of inactivity. We used to see Terdot since March 2016. In December 2016, it was almost extinct. We didn't see too much Terdot activity. In December, though, it started to reemerge in this new form that uses a web proxy component for espionage, and that also uses a secondary spreading mechanism in the form of linked email attachments to make it to companies. Before that, it was only spread by Sundown exploit kit, which was kind of popular in Asia and Pacific, and this might account for its very, very low spread before that.

Bogdan Botezatu: [00:14:53] Even if it's not very widely spread, this malware is important because for once it targets your bank account, and if it lands on the wrong computer like a payroll computer in a company, it could inflict damages in millions. And secondly, it goes after more than the money. It pretty much goes through all our logins, steals whatever it can from our computers, so we could also lose money, social accounts, and even information that might pertain to our employees, in case we are running our email operation from our Google-based app.

Dave Bittner: [00:15:30] What is your advice for people to protect themselves against this? What's the best approach?

Bogdan Botezatu: [00:15:35] The best approach would be to make sure that they don't let spam emails in. Sometimes we are tempted to open up emails that look like invoices or that look like failed delivery notices because we want to see what we have been missing out. Most of the time, these failed delivery notices and the fake invoices usually harbor malware, and this is the primary way we get infected with Terdot.

Bogdan Botezatu: [00:16:03] Secondly, a good security solution installed on the computer should block this threat from installing in the first place, or if it has made it through our defenses, should pick it up when when it attempts to modify digital certificates on our computer, or when to attempt to modify banking transactions. A good security solution will be able to intercept it, but we have zero chances of detecting that just by looking at the computer with our eyes.

Dave Bittner: [00:16:38] Our thanks to Bob Botezatu from Bitdefender for joining us. You can find a complete white paper on the Terdot Banking Trojan on Bitdefender's website.

Dave Bittner: [00:16:47] And thanks again to our sponsor, Cybrary, for making this edition of Research Saturday possible. Visit www.cybrary.it/teams, and see what they can do for your organization.

Dave Bittner: [00:16:59] Don't forget to check out our CyberWire Daily News Brief and podcast, along with interviews, our glossary, and more on our website, thecyberwire.com.

Dave Bittner: [00:17:08] The CyberWire Research Saturday is produced by Pratt Street Media. Our coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.