On November 28, 2017, our Threat Guidance team received a request to analyze a malicious downloader known as Terdot.A/Zloader, in order understand its inner workings. This report includes our deep-dive technical analysis and other details including Indicators of Compromise (IoCs).
Terdot.A/Zloader is a malicious downloader with origins tied to the well-known Zeus banking trojan, but the latest iterations include a host of espionage-oriented data-stealing functionalities. It has been determined to download Zbot, a malicious banking Trojan/bot, which injects Zbot into Windows processes, msiexec, and web browsers such as Firefox.
Terdot is primarily being disseminated by way of tainted emails and the popular exploit kit Sundown, and the malicious process starts once injected into explorer.exe, as you can see in Figures 1, 2, and 3:
Terdot.A combined with Zbot makes a deadly combo. It’s capable of executing Man-in-the-Middle (MITM) attacks, information theft, and other forms of spying on targets. Details of their capabilities are provided in the following sections.
Terdot.A/Zloader Module Capabilities
Downloader: Terdot configures proxy connections and downloads payloads (Zbot) from command and control (C2) servers via the Internet which can be spotted at offset 10039FD, and 10003CCE, as shown in Figure 4 and Figure 5:
Injector: Terdot injects malicious payloads into memory, and in this case, it’s been designed to inject Zbot into memory, which can be found at offset 100022C2, as presented in Figure 6:
Zbot Module Capabilities
Zbot initializes in memory using the _injectEntryForThreadEntry@4 export function, if the infected operating system version is not installed in Russian, as seen in Figure 7:
Figure 8 highlights the WMI queries used to check the operating system’s version, and can be found at offset 1010A44:
Zbot reads and manipulates browser cookies that are stored in form of SQLite databases by executing two SQL quires:
- 'select `host_key`, `name`, `encrypted_value` from `cookies`’, this command is used to decrypt Chrome cookies
- 'select `baseDomain`, `name`, `value` from `moz_cookies`', this command is used to obtain Firefox cookies
It then gets imported into an attached SQL database called vacumm.db, as presented in Figure 9, and this capability can be found at offsets 10087E88, and 10087EC7:
Zbot injects WebFakes, which are fake web pages that are replicas of the web pages used by individuals and business such as online banking sites, as shown in Figure 10:
Once a target is tricked into entering their personal information, this information is then forwarded to the attackers.
Zbot can also function as a backdoor on infected systems by initializing a VNC session, which can be identified at offset 100085A3 and offset10008659, as shown in the Figures 11 and 12:
Zbot also employs proxy connections in order to connect to its C2 server, which has been identified at offsets 10060FB0 and 10061288 as highlighted in Figures 13, and 14.
Zbot performs P Lookups using hxxp://[checkip].[dyndns].[org], and can be found at offset 1000B963 as illustrated in Figure 15:
The following table displays the HTTP commands that can be used by Zbot:
Table A: HTTP Commands
In addition to the capabilities mentioned above, Zbot has been determined to use a certificate signing utility called certutil, to perform MiTM attacks.
To avoid being the victim of the Terdot campaign, organizations should ensure that basic security best practices are being adhered to, particularly around the handling of email and the patching of known vulnerabilities that could be exploited in an attack.
If you use our endpoint protection product, CylancePROTECT®, you are already protected from this attack.
Indicators of Compromise (IoC)s:
Terdot.A/Zloader, filename payload.dll
Zbot, filename client32.dll
User Agent Strings:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0
offset: 100664D7 string: 2016-11-04 12:08:49 1136863c76576110e710dd5d69ab6bf347c65e36
Description: The string above identifies the SQLite release version used, https://www.sqlite.org/releaselog/3_15_1.html
offset: 101F89E8 string: OpenSSL 1.0.2j 26 Sep 2016
Description: The string above identifies the OpenSSL version used,