« Back to Blog

Threat Spotlight: Terdot.A/Zloader Malicious Downloader

By Cylance Threat Guidance Team

On November 28, 2017, our Threat Guidance team received a request to analyze a malicious downloader known as Terdot.A/Zloader, in order understand its inner workings. This report includes our deep-dive technical analysis and other details including Indicators of Compromise (IoCs).

Threat Overview

Terdot.A/Zloader is a malicious downloader with origins tied to the well-known Zeus banking trojan, but the latest iterations include a host of espionage-oriented data-stealing functionalities. It has been determined to download Zbot, a malicious banking Trojan/bot, which injects Zbot into Windows processes, msiexec, and web browsers such as Firefox.

Terdot is primarily being disseminated by way of tainted emails and the popular exploit kit Sundown, and the malicious process starts once injected into explorer.exe, as you can see in Figures 1, 2, and 3:

Figure 1

Figure 2

Figure 3

Terdot.A combined with Zbot makes a deadly combo. It’s capable of executing Man-in-the-Middle (MITM) attacks, information theft, and other forms of spying on targets. Details of their capabilities are provided in the following sections.

File Information:




Win32 DLL


31.5 KB


2017-01-04 16:49:42

ITW names





Win32 DLL


2.1 MB


 2017-02-02 18:53:34

ITW names


Terdot.A/Zloader Module Capabilities

Downloader: Terdot configures proxy connections and downloads payloads (Zbot) from command and control (C2) servers via the Internet which can be spotted at offset 10039FD, and 10003CCE, as shown in Figure 4 and Figure 5:

Figure 4

Figure 5

Injector: Terdot injects malicious payloads into memory, and in this case, it’s been designed to inject Zbot into memory, which can be found at offset 100022C2, as presented in Figure 6:

Figure 6

Zbot Module Capabilities

Zbot initializes in memory using the _injectEntryForThreadEntry@4 export function, if the infected operating system version is not installed in Russian, as seen in Figure 7:

Figure 7

Figure 8 highlights the WMI queries used to check the operating system’s version, and can be found at offset 1010A44:


Figure 8


Zbot reads and manipulates browser cookies that are stored in form of SQLite databases by executing two SQL quires:

•   'select `host_key`, `name`, `encrypted_value` from `cookies`’, this command is used to decrypt Chrome cookies

•   'select `baseDomain`, `name`, `value` from `moz_cookies`', this command is used to obtain Firefox cookies

It then gets imported into an attached SQL database called vacumm.db, as presented in Figure 9, and this capability can be found at offsets 10087E88, and 10087EC7:

Figure 9


Zbot injects WebFakes, which are fake web pages that are replicas of the web pages used by individuals and business such as online banking sites, as shown in Figure 10:

Figure 10

Once a target is tricked into entering their personal information, this information is then forwarded to the attackers.


Zbot can also function as a backdoor on infected systems by initializing a VNC session, which can be identified at offset 100085A3 and offset10008659, as shown in the Figures 11 and 12:

Figure 11

Figure 12

Zbot also employs proxy connections in order to connect to its C2 server, which has been identified at offsets 10060FB0 and 10061288 as highlighted in Figures 13, and 14.


Figure 13

Figure 14

IP Lookup: 

Zbot performs P Lookups using hxxp://[checkip].[dyndns].[org], and can be found at offset 1000B963 as illustrated in Figure 15:

Figure 15

The following table displays the HTTP commands that can be used by Zbot:

101A53A1 aDelete
101A53A8 aHead_0           
101A53AD aPut_0     
101A53B1 aConnect
101A53B9 aOptions
101A53C1 aTrace
101A53C7 aCopy_0
101A53CC aLock  
101A53D1 aMkcol   
101A53D7 aMove_0       
101A53DC aPropfind 
101A53E5 aProppatch  
101A53EF aSearch_0       
101A53F6 aUnlock
101A53FD aReport  
101A5404 aMkactivity 
101A540F aCheckout 
101A5418 aMerge 
101A541E aMSearch 
101A5429 aNotify  
101A5430 aSubscribe 
101A543A aUnsubscribe
101A5446 aPatch  
101A544C aPurge
101A5452 aMkcalendar

Table A: HTTP Commands

In addition to the capabilities mentioned above, Zbot has been determined to use a certificate signing utility called certutil, to perform MiTM attacks.


To avoid being the victim of the Terdot campaign, organizations should ensure that basic security best practices are being adhered to, particularly around the handling of email and the patching of known vulnerabilities that could be exploited in an attack.

If you use our endpoint protection product, CylancePROTECT®, you are already protected from this attack.

Indicators of Compromise (IoC)s:


Terdot.A/Zloader, filename payload.dll

Zbot, filename client32.dll

Hardcoded IPs:

User Agent Strings:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0

Interesting Strings:

offset: 100664D7 string: 2016-11-04 12:08:49 1136863c76576110e710dd5d69ab6bf347c65e36
Description: The string above identifies the SQLite release version used, https://www.sqlite.org/releaselog/3_15_1.html

offset: 101F89E8 string: OpenSSL 1.0.2j 26 Sep 2016
Description: The string above identifies the OpenSSL version used,

About the Cylance Threat Guidance Team

The Cylance Threat Guidance team examines malware and suspected malware to better identify its abilities, function and attack vectors. Threat Guidance is on the frontline of information security and often deeply examines malicious software, which puts them in a unique position to discuss never-seen-before threats.