CyberWire Daily - Waiting for Terdot, a sneaky banking Trojan. [Research Saturday]
Episode Date: November 25, 2017The Terdot Banker Trojan is a descendant of the Zeus family of malware, and has evolved to feature serious espionage capabilities. It can compromise transactions, steal accounts and credit card inform...ation, and can eavesdrop on and modify traffic on social media and email platforms. While not yet widely spread, it's a threat to consumers and businesses alike. Bogdan Botezatu is a senior e-threat analyst at Bitdefender, and he takes us through their recently published whitepaper. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We were analyzing something different, a web proxy, a component that's usually associated
with advanced persistent threats with very targeted attacks. That's Bogdan Bodazatu, a senior e-thread analyst at Bitdefender.
And while looking in our library for that web proxy,
we realized that we had some samples that were not part of an advanced targeted attack,
but other of a commercial operation.
So we started looking into this piece of malware powered by the web proxy,
and we realized it was a bank of Trojan that could be used for cyber espionage purposes.
This happened somewhere in January 2017.
It took us a while to analyze, to go through its code,
and we eventually came up with this paper.
Why don't you start off by giving us a description of what does Terdo do?
Terdo is a conventional banker trojan.
It's a piece of malware that can inject different other forms in your e-banking logins
or can seize information about your account in real time.
Or even worse, for some banks, it can hijack banking transactions
by modifying the amount of money and the destination accounts for those transactions.
Because it lives in your browser, it doesn't really require special permissions from the bank
because the bank would see that activity
as originating on your behalf and because it also sits in the middle of
the transaction it can also manipulate the bank's responses to trick the user
into thinking that a transaction went as planned while in fact the transaction
had been hijacked to a different account. So, Turdo is based on the 2011 Zeus source code, is that correct?
Yes. Zeus was a very powerful piece of malware at that time.
It has served as inspiration for a number of malware families like Carburb, Kins, now Terdo, and most likely IceID, the latest banker trojan that has
made the news a couple of days ago. By open sourcing this code, the Zeus original developers
have triggered an entire chain of infections that still makes victims up until now.
And one of the things that makes Teredo
so powerful is that beyond just being a banker trojan, it can get its hooks into
a lot of other things. We can understand the banker part. Everybody is after your money,
but it's highly unusual for a piece of bank trojan to go after personal information.
bank control gen to go after personal information. Usually this kind of bank control gen looks for stuff that can be monetized rather than for information that can be used for other purposes.
It was highly surprising for us to see that Turdo goes after social logins or after email logins.
or after email logins.
Just by inspecting the traffic between us and our inboxes,
Terto can actually get its hands on our Gmail logins or our Microsoft Live logins.
This might actually have a reasonable explanation
if we think that a couple of banks, for instance,
use two-factor authentication in the form of tokens sent via email. So when you need
to confirm a transaction, you get an email from the bank with a special number that you can only
use once. After the transaction completes, that token gets voided and you need to require a new
token to carry out a new transaction. But then again, this feature can be abused for more than banking transaction.
Basically, somebody could have unrestricted access to our email logins and use whatever
information they find there for different other purposes. Yeah, it's interesting you all noted
in your research that it's specifically instructed not to gather data from vk.com which of course is
a large russian social media platform exactly um most of these bank of surgeons especially those
that build on the legacy of zeus uh tends to avoid uh the former soviet union space
this might be due to the fact that its operators live there and would rather not stir any kind of conflict that could have them prosecuted in the region. like to mention the case of Carburb, another very, very interesting banker children, whose
operators have been arrested after inadvertently attacking a Ukrainian bank. So this team was
residing in Ukraine and by mistake, they attacked a Ukrainian bank, which automatically brought them
into the local authorities spotlight. So they were arrested in less than five days after the attack.
I see.
So let's walk through how this turtle works.
How does someone initially get compromised by it?
There are two attack avenues, one which is aimed at the general public and one that looks
like it's aimed at professionals and companies.
For the general public, there's this infection with an exploit kit.
Basically, a user, a potential victim, doesn't have to interact with a spam message,
but rather to stumble upon an infected web page that assesses the security level of their browser
and the third-party software in order to plant an exploit.
That exploit would make the browser crash, for instance, and when it recovers,
the browser will inadvertently trigger the execution of Terdo in its memory space. That would result in an infection. And from there on, Terdo will
try to subvert bank transactions and log critical information. That would be the attack avenue for
a regular consumer. For companies, we presume that the infection happens to a rigged PDF file
that comes as an attachment to spam emails. When it is opened, it triggers the execution of
Teardown. So in both of those situations, is there any indication that anything's going on? Does the
user have to click through or give it any permission to start running? No, because both
attack avenues are based on an exploit inside the browser, the user will only see that the browser has crashed and that it has recovered back.
But that's not enough evidence to presume that you are infected or that something has happened, something bad has actually happened on your computer.
Because we all have some bad times when our browser crashes out of the blue and it just recovers.
So for people who are less tech-savvy, this would not be an indication that their computer has been compromised.
And just like any other bank of children, Terdo is extremely sneaky and very, very difficult to isolate and contain.
It has multiple mechanisms that protect it against antivirus scanning, for instance,
or against shutdowns. Whenever it's shut down, it has some sort of a watchdog process
that brings it back to life. It is very difficult for an untrained user to tell an
infection and stop it. Well, let's go through that. Can you highlight some of the ways that
Turdo runs once it's been installed in your system? Yes. Turdo, once it has been installed
on the system, will inject itself into all browser processes.
It makes sure that it runs in Windows Internet Explorer, in Firefox, in Chrome,
and any other browser that the user might have on the system.
It hooks the browser processes, so everything that the user types in the browser or gets displayed in the browser actually goes through that web proxy it sets up earlier in the infection stage.
I think that that web proxy component is actually the most important part of the malware
because it's that component that helps the malware decrypt SSL encrypted messages. So before it starts modifying anything,
it just creates a universal certificate authority
so it can negotiate digital certificates
on behalf of the banks it targets
or social networks it targets.
We believe that we are talking to Facebook
while in fact we are talking to the web proxy which is talking to Facebook
on our behalf. So that web proxy becomes a man in the middle between us and the page we'll try
to visit and everything even encrypted information flows to that web proxy. That web proxy also logs
critical information that it has been instructed to look after,
like usernames, passwords, cookies, fragments of conversation, and of course, banking transactions.
And it stacks them into a log file.
That log file will be further sent to the attackers at a specific interval of time.
Take us through what's going on in terms of the command and control server.
The command and control server is still a mystery because we don't have access to that component yet.
We can see what's happening in the user space, what the payload is trying to communicate to the command and control server.
And we are trying to understand how the control server works based by that
information. We're still trying to get our hands on a copy of a command and control server,
but this requires extensive collaboration with law enforcement. So we are trying to
seize one to see exactly what the communication patterns are, how we can intercept this communication,
and how we can notify potential victims that have connected to the command and control server.
But this kind of operations usually take a lot of time. Well, let's talk about persistence. How does Terdo manage to stay on your system through restarts?
Terdo employs a couple of very advanced tricks to survive a restart.
Usually it adds itself to the registry keys to make sure that it boots along with your operating
system. And it also creates some scheduled jobs that are responsible both for starting watchdog
processes and, of course, are responsible for attempting to update
the malware to the latest version every time the command and control server communicates
the malware that there's a new version it undergoes a serious scrutiny to make sure that
it's actually installing another version of the malware as designed by its creator and not a spoofed version that could hijack the Tirdo malware for the different cybercrime gangs.
So competition in this industry is very harsh.
And whoever operates and builds Tirdo has made sure that it always stays in control of the malware.
Persistence is also assured by the fact that TIRDO is injected in all DLLs running on the system.
So even if a process gets killed by the antivirus or by the user,
different other processes running instances of TIRerto will continue the surveillance and monitoring.
This is very important for a cyber espionage tool because in those moments where it's not active,
the user might have exchanged crucial information that could have escaped the attacker.
So ensuring persistence and making sure that you're always running on the computer will also increase the odds that the malware is intercepting interesting information that can be actually monetized by the operators.
Do you have a sense for how widespread Turdo is so far?
It's not very widely spread.
Turdo is just recovering from a period of inactivity.
We used to see Terdo since March 2016.
In December 2016, it was almost extinct.
We didn't see too much Terdo activity.
In December, though, it started to reemerge in this new form
that uses a web proxy component for espionage and that also uses a
secondary spreading mechanism in the form of rigged email attachments to make it to companies.
Before that, it was only spread by Sundown Exploit Kit, which was kind of popular in Asia
and Pacific. And this might account for its very, very low spread before that.
Even if it's not very widely spread, this malware is important
because for once it targets your bank account.
And if it lands on the wrong computer, like a payroll computer in a company,
it could inflict damages in millions.
And secondly, it goes after more than the money.
It pretty much goes through all our logins, steals whatever it can from our computers. So
we could also lose money, social accounts, and even information that might pertain to our employee
in case we are running our email operation from a Google-based app.
What is your advice for people to protect themselves against this?
What's the best approach?
The best approach would be to make sure that they don't let spammy emails in.
Sometimes we are tempted to open up emails that look like invoices
or that look like failed delivery notices
because we want to see what we
have been missing out most of the times these failed delivery notices and fake invoices
usually harbor malware and this is the primary way we get infected with thirdo secondly a good
security solution installed on the computer should block this threat from installing in the first place.
Or if it has made it through our defenses, should pick it up when it attempts to modify digital certificates on our computer or when it attempts to modify banking transactions.
A good security solution will be able to intercept it.
But we have zero chances of detecting that
just by looking at the computer with our eyes.
Our thanks to Bob Bodazatu from Bitdefender for joining us.
You can find a complete white paper on the Terre d'Eau Banking Trojan on Bitdefender's website.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.