Researchers at Bitdefender first spotted the Terdot banking Trojan in October 2016. The malware, which derives inspiration from the 2011 source code leak of the Zeus banking Trojan, goes beyond the usual capabilities of banking malware and could be used for cyberespionage.
It has all the main functionalities of a banking Trojan: Terdot arrives via malicious email with a button disguised as a PDF link. When clicked, it infects the machine and creates a Web proxy to modify transactions. Any data victims send to a bank is intercepted and modified in real time, and the malware intercepts and modifies the bank's response.
Terdot can also be used to view and modify traffic on email and social media platforms, collect victims' financial information, steal credentials, inject HTML code on visited Web pages, and download and execute files. Because it lives in the browser, it has unrestricted access to whatever is posted using that browser. It can monitor activity and inject spyware.
Detection and removal is tough, says Botezatu. "It has modules that ensure persistence. It injects itself into every process on that machine, and these processes act like a watchdog to one another."