On November 28, 2017, our Threat Guidance team received a request to analyze a malicious downloader known as Terdot.A/Zloader, in order understand its inner workings. This report includes our deep-dive technical analysis and other details including Indicators of Compromise (IoCs).
Threat Overview
Terdot.A/Zloader is a malicious downloader with origins tied to the well-known Zeus banking trojan, but the latest iterations include a host of espionage-oriented data-stealing functionalities. It has been determined to download Zbot, a malicious banking Trojan/bot, which injects Zbot into Windows processes, msiexec, and web browsers such as Firefox.
Terdot is primarily being disseminated by way of tainted emails and the popular exploit kit Sundown, and the malicious process starts once injected into explorer.exe, as you can see in Figures 1, 2, and 3:
Figure 1
Figure 2
Figure 3
Terdot.A combined with Zbot makes a deadly combo. It’s capable of executing Man-in-the-Middle (MITM) attacks, information theft, and other forms of spying on targets. Details of their capabilities are provided in the following sections.
File Information:
SHA256 | 2aadd8786a069427ff0d086daaec73e562b8f6931559630fe5bf239cc13a72b0 |
Type | Win32 DLL |
Size | 31.5 KB |
Timestamp | 2017-01-04 16:49:42 |
ITW names | Terdot.A/Zloader |
SHA256 | d23ca6aef3456f13eae265d57e4b22bd9c635ea221fbb4ae9749b3f75a026fe1 |
Type | Win32 DLL |
Size | 2.1 MB |
Timestamp | 2017-02-02 18:53:34 |
ITW names | Zbot |
Terdot.A/Zloader Module Capabilities
Downloader: Terdot configures proxy connections and downloads payloads (Zbot) from command and control (C2) servers via the Internet which can be spotted at offset 10039FD, and 10003CCE, as shown in Figure 4 and Figure 5:
Figure 4
Figure 5
Injector: Terdot injects malicious payloads into memory, and in this case, it’s been designed to inject Zbot into memory, which can be found at offset 100022C2, as presented in Figure 6:
Figure 6
Zbot Module Capabilities
Zbot initializes in memory using the _injectEntryForThreadEntry@4 export function, if the infected operating system version is not installed in Russian, as seen in Figure 7:
Figure 7
Figure 8 highlights the WMI queries used to check the operating system’s version, and can be found at offset 1010A44:
Figure 8
Infostealer:
Zbot reads and manipulates browser cookies that are stored in form of SQLite databases by executing two SQL quires:
- 'select `host_key`, `name`, `encrypted_value` from `cookies`’, this command is used to decrypt Chrome cookies
- 'select `baseDomain`, `name`, `value` from `moz_cookies`', this command is used to obtain Firefox cookies
It then gets imported into an attached SQL database called vacumm.db, as presented in Figure 9, and this capability can be found at offsets 10087E88, and 10087EC7:
Figure 9
Phishing:
Zbot injects WebFakes, which are fake web pages that are replicas of the web pages used by individuals and business such as online banking sites, as shown in Figure 10:
Figure 10
Once a target is tricked into entering their personal information, this information is then forwarded to the attackers.
Backdoor:
Zbot can also function as a backdoor on infected systems by initializing a VNC session, which can be identified at offset 100085A3 and offset10008659, as shown in the Figures 11 and 12:
Figure 11
Figure 12
Zbot also employs proxy connections in order to connect to its C2 server, which has been identified at offsets 10060FB0 and 10061288 as highlighted in Figures 13, and 14.
Figure 13
Figure 14
IP Lookup:
Zbot performs P Lookups using hxxp://[checkip].[dyndns].[org], and can be found at offset 1000B963 as illustrated in Figure 15:
Figure 15
The following table displays the HTTP commands that can be used by Zbot:
| OFFSET | COMMAND |
| 101A53A1 | aDelete |
| 101A53A8 | aHead_0 |
| 101A53AD | aPut_0 |
| 101A53B1 | aConnect |
| 101A53B9 | aOptions |
| 101A53C1 | aTrace |
| 101A53C7 | aCopy_0 |
| 101A53CC | aLock |
| 101A53D1 | aMkcol |
| 101A53D7 | aMove_0 |
| 101A53DC | aPropfind |
| 101A53E5 | aProppatch |
| 101A53EF | aSearch_0 |
| 101A53F6 | aUnlock |
| 101A53FD | aReport |
| 101A5404 | aMkactivity |
| 101A540F | aCheckout |
| 101A5418 | aMerge |
| 101A541E | aMSearch |
| 101A5429 | aNotify |
| 101A5430 | aSubscribe |
| 101A543A | aUnsubscribe |
| 101A5446 | aPatch |
| 101A544C | aPurge |
| 101A5452 | aMkcalendar |
Table A: HTTP Commands
In addition to the capabilities mentioned above, Zbot has been determined to use a certificate signing utility called certutil, to perform MiTM attacks.
Conclusion:
To avoid being the victim of the Terdot campaign, organizations should ensure that basic security best practices are being adhered to, particularly around the handling of email and the patching of known vulnerabilities that could be exploited in an attack.
If you use our endpoint protection product, CylancePROTECT®, you are already protected from this attack.
Indicators of Compromise (IoC)s:
Hashes
Terdot.A/Zloader, filename payload.dll
2aadd8786a069427ff0d086daaec73e562b8f6931559630fe5bf239cc13a72b0
70a3c2d1ce0b4c1392ae9ad9e85af5289dc1cfc8dac2c0b91f2a4820ac36e762
19658d5653189d35bdaa49dc0541eec90a5f1b5156f1895f07484aa759a422c2
a2aa23d21102e0986ad32e7d8364d336a2745b7fec105fc741650a73b6e0481c
bd44645d62f634c5ca65b110b2516bdd22462f8b2f3957dbcd821fa5bdeb38a2
Zbot, filename client32.dll
6f1be15fb9a5f23bded10cffa5413858f3c0937228dd260206d560e58ab7fe25
47b26e0172dff4ae1905455029926314ac685e0ce854c4230fc35a7cdf0fe259
085dadefbec243575e6c82c53999e4518d19ec81d68ce89d17a9cd0d8dc82688
d23ca6aef3456f13eae265d57e4b22bd9c635ea221fbb4ae9749b3f75a026fe1
Hardcoded IPs:
185.121.177.53
185.121.177.177
45.63.25.55
111.67.16.202
142.4.204.111
142.4.205.47
31.3.135.232
62.113.203.55
37.228.151.133
144.76.133.38
User Agent Strings:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0
Interesting Strings:
offset: 100664D7 string: 2016-11-04 12:08:49 1136863c76576110e710dd5d69ab6bf347c65e36
Description: The string above identifies the SQLite release version used, https://www.sqlite.org/releaselog/3_15_1.html
offset: 101F89E8 string: OpenSSL 1.0.2j 26 Sep 2016
Description: The string above identifies the OpenSSL version used,
https://www.openssl.org/news/cl102.txt
