« Back to Blog

Threat Spotlight: Terdot.A/Zloader Malicious Downloader

By Cylance Threat Guidance Team

On November 28, 2017, our Threat Guidance team received a request to analyze a malicious downloader known as Terdot.A/Zloader, in order understand its inner workings. This report includes our deep-dive technical analysis and other details including Indicators of Compromise (IoCs).

Threat Overview

Terdot.A/Zloader is a malicious downloader with origins tied to the well-known Zeus banking trojan, but the latest iterations include a host of espionage-oriented data-stealing functionalities. It has been determined to download Zbot, a malicious banking Trojan/bot, which injects Zbot into Windows processes, msiexec, and web browsers such as Firefox.

Terdot is primarily being disseminated by way of tainted emails and the popular exploit kit Sundown, and the malicious process starts once injected into explorer.exe, as you can see in Figures 1, 2, and 3:

Figure 1


Figure 2

Figure 3

Terdot.A combined with Zbot makes a deadly combo. It’s capable of executing Man-in-the-Middle (MITM) attacks, information theft, and other forms of spying on targets. Details of their capabilities are provided in the following sections.

File Information:

SHA256

2aadd8786a069427ff0d086daaec73e562b8f6931559630fe5bf239cc13a72b0

Type

Win32 DLL

Size

31.5 KB

Timestamp

2017-01-04 16:49:42

ITW names

Terdot.A/Zloader

SHA256

d23ca6aef3456f13eae265d57e4b22bd9c635ea221fbb4ae9749b3f75a026fe1

Type

Win32 DLL

Size

2.1 MB

Timestamp

 2017-02-02 18:53:34

ITW names

Zbot

Terdot.A/Zloader Module Capabilities

Downloader: Terdot configures proxy connections and downloads payloads (Zbot) from command and control (C2) servers via the Internet which can be spotted at offset 10039FD, and 10003CCE, as shown in Figure 4 and Figure 5:

Figure 4

Figure 5

Injector: Terdot injects malicious payloads into memory, and in this case, it’s been designed to inject Zbot into memory, which can be found at offset 100022C2, as presented in Figure 6:

Figure 6

Zbot Module Capabilities

Zbot initializes in memory using the _injectEntryForThreadEntry@4 export function, if the infected operating system version is not installed in Russian, as seen in Figure 7:

Figure 7

Figure 8 highlights the WMI queries used to check the operating system’s version, and can be found at offset 1010A44:

 

Figure 8

Infostealer:

Zbot reads and manipulates browser cookies that are stored in form of SQLite databases by executing two SQL quires:

•   'select `host_key`, `name`, `encrypted_value` from `cookies`’, this command is used to decrypt Chrome cookies

•   'select `baseDomain`, `name`, `value` from `moz_cookies`', this command is used to obtain Firefox cookies

It then gets imported into an attached SQL database called vacumm.db, as presented in Figure 9, and this capability can be found at offsets 10087E88, and 10087EC7:

Figure 9

Phishing:

Zbot injects WebFakes, which are fake web pages that are replicas of the web pages used by individuals and business such as online banking sites, as shown in Figure 10:

Figure 10

Once a target is tricked into entering their personal information, this information is then forwarded to the attackers.

Backdoor:

Zbot can also function as a backdoor on infected systems by initializing a VNC session, which can be identified at offset 100085A3 and offset10008659, as shown in the Figures 11 and 12:

Figure 11

Figure 12

Zbot also employs proxy connections in order to connect to its C2 server, which has been identified at offsets 10060FB0 and 10061288 as highlighted in Figures 13, and 14.

 

Figure 13

Figure 14

IP Lookup: 

Zbot performs P Lookups using hxxp://[checkip].[dyndns].[org], and can be found at offset 1000B963 as illustrated in Figure 15:

Figure 15

The following table displays the HTTP commands that can be used by Zbot:

OFFSET COMMAND
101A53A1 aDelete
101A53A8 aHead_0           
101A53AD aPut_0     
101A53B1 aConnect
101A53B9 aOptions
101A53C1 aTrace
101A53C7 aCopy_0
101A53CC aLock  
101A53D1 aMkcol   
101A53D7 aMove_0       
101A53DC aPropfind 
101A53E5 aProppatch  
101A53EF aSearch_0       
101A53F6 aUnlock
101A53FD aReport  
101A5404 aMkactivity 
101A540F aCheckout 
101A5418 aMerge 
101A541E aMSearch 
101A5429 aNotify  
101A5430 aSubscribe 
101A543A aUnsubscribe
101A5446 aPatch  
101A544C aPurge
101A5452 aMkcalendar

Table A: HTTP Commands

In addition to the capabilities mentioned above, Zbot has been determined to use a certificate signing utility called certutil, to perform MiTM attacks.

Conclusion:

To avoid being the victim of the Terdot campaign, organizations should ensure that basic security best practices are being adhered to, particularly around the handling of email and the patching of known vulnerabilities that could be exploited in an attack.

If you use our endpoint protection product, CylancePROTECT®, you are already protected from this attack.

Indicators of Compromise (IoC)s:

Hashes

Terdot.A/Zloader, filename payload.dll
2aadd8786a069427ff0d086daaec73e562b8f6931559630fe5bf239cc13a72b0
70a3c2d1ce0b4c1392ae9ad9e85af5289dc1cfc8dac2c0b91f2a4820ac36e762
19658d5653189d35bdaa49dc0541eec90a5f1b5156f1895f07484aa759a422c2
a2aa23d21102e0986ad32e7d8364d336a2745b7fec105fc741650a73b6e0481c
bd44645d62f634c5ca65b110b2516bdd22462f8b2f3957dbcd821fa5bdeb38a2

Zbot, filename client32.dll
6f1be15fb9a5f23bded10cffa5413858f3c0937228dd260206d560e58ab7fe25
47b26e0172dff4ae1905455029926314ac685e0ce854c4230fc35a7cdf0fe259
085dadefbec243575e6c82c53999e4518d19ec81d68ce89d17a9cd0d8dc82688
d23ca6aef3456f13eae265d57e4b22bd9c635ea221fbb4ae9749b3f75a026fe1

Hardcoded IPs:

185.121.177.53 
185.121.177.177
45.63.25.55 
111.67.16.202 
142.4.204.111 
142.4.205.47 
31.3.135.232 
62.113.203.55 
37.228.151.133 
144.76.133.38

User Agent Strings:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0

Interesting Strings:

offset: 100664D7 string: 2016-11-04 12:08:49 1136863c76576110e710dd5d69ab6bf347c65e36
Description: The string above identifies the SQLite release version used, https://www.sqlite.org/releaselog/3_15_1.html

offset: 101F89E8 string: OpenSSL 1.0.2j 26 Sep 2016
Description: The string above identifies the OpenSSL version used,
https://www.openssl.org/news/cl102.txt


About the Cylance Threat Guidance Team

The Cylance Threat Guidance team examines malware and suspected malware to better identify its abilities, function and attack vectors. Threat Guidance is on the frontline of information security and often deeply examines malicious software, which puts them in a unique position to discuss never-seen-before threats.

Tags: