Threat Spotlight: Terdot.A/Zloader Malicious Downloader

On November 28, 2017, our Threat Guidance team received a request to analyze a malicious downloader known as Terdot.A/Zloader, in order understand its inner workings. This report includes our deep-dive technical analysis and other details including Indicators of Compromise (IoCs).

Threat Overview

Terdot.A/Zloader is a malicious downloader with origins tied to the well-known Zeus banking trojan, but the latest iterations include a host of espionage-oriented data-stealing functionalities. It has been determined to download Zbot, a malicious banking Trojan/bot, which injects Zbot into Windows processes, msiexec, and web browsers such as Firefox.

Terdot is primarily being disseminated by way of tainted emails and the popular exploit kit Sundown, and the malicious process starts once injected into explorer.exe, as you can see in Figures 1, 2, and 3:

Figure 1

Figure 2

Figure 3

Terdot.A combined with Zbot makes a deadly combo. It’s capable of executing Man-in-the-Middle (MITM) attacks, information theft, and other forms of spying on targets. Details of their capabilities are provided in the following sections.

File Information:

SHA256

2aadd8786a069427ff0d086daaec73e562b8f6931559630fe5bf239cc13a72b0

Type

Win32 DLL

Size

31.5 KB

Timestamp

2017-01-04 16:49:42

ITW names

Terdot.A/Zloader

SHA256

d23ca6aef3456f13eae265d57e4b22bd9c635ea221fbb4ae9749b3f75a026fe1

Type

Win32 DLL

Size

2.1 MB

Timestamp

 2017-02-02 18:53:34

ITW names

Zbot

 

Terdot.A/Zloader Module Capabilities

Downloader: Terdot configures proxy connections and downloads payloads (Zbot) from command and control (C2) servers via the Internet which can be spotted at offset 10039FD, and 10003CCE, as shown in Figure 4 and Figure 5:

Figure 4

Figure 5

Injector: Terdot injects malicious payloads into memory, and in this case, it’s been designed to inject Zbot into memory, which can be found at offset 100022C2, as presented in Figure 6:

Figure 6

Zbot Module Capabilities

Zbot initializes in memory using the _injectEntryForThreadEntry@4 export function, if the infected operating system version is (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog