On November 28, 2017, our Threat Guidance team received a request to analyze a malicious downloader known as Terdot.A/Zloader, in order understand its inner workings. This report includes our deep-dive technical analysis and other details including Indicators of Compromise (IoCs).

Threat Overview

Terdot.A/Zloader is a malicious downloader with origins tied to the well-known Zeus banking trojan, but the latest iterations include a host of espionage-oriented data-stealing functionalities. It has been determined to download Zbot, a malicious banking Trojan/bot, which injects Zbot into Windows processes, msiexec, and web browsers such as Firefox.

Terdot is primarily being disseminated by way of tainted emails and the popular exploit kit Sundown, and the malicious process starts once injected into explorer.exe, as you can see in Figures 1, 2, and 3:

Figure 1

Figure 2

Figure 3

Terdot.A combined with Zbot makes a deadly combo. It’s capable of executing Man-in-the-Middle (MITM) attacks, information theft, and other forms of spying on targets. Details of their capabilities are provided in the following sections.

File Information:

Terdot.A/Zloader Module Capabilities

Downloader: Terdot configures proxy connections and downloads payloads (Zbot) from command and control (C2) servers via the Internet which can be spotted at offset 10039FD, and 10003CCE, as shown in Figure 4 and Figure 5:

Figure 4

Figure 5

Injector: Terdot injects malicious payloads into memory, and in this case, it’s been designed to inject Zbot into memory, which can be found at offset 100022C2, as presented in Figure 6:

Figure 6

Zbot Module Capabilities

Zbot initializes in memory using the _injectEntryForThreadEntry@4 export function, if the infected operating system version is (Read more...)