{"id":6400,"date":"2017-01-26T12:10:51","date_gmt":"2017-01-26T20:10:51","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/26\/news-237\/"},"modified":"2017-01-26T12:10:51","modified_gmt":"2017-01-26T20:10:51","slug":"news-237","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/26\/news-237\/","title":{"rendered":"Zbot with legitimate applications on board"},"content":{"rendered":"<p>Source code of the infamous ZeuS malware <a href=\"https:\/\/threatpost.com\/zeus-source-code-leaked-051011\/75217\/\" target=\"_blank\">leaked in 2011<\/a>. Since that time, many cybercriminals has adopted it and augmented with their own ideas. Recently, among the payloads delivered by exploit kits, we often find <strong>Terdot.A\/Zloader<\/strong> &#8211; a downloader installing on the victim machine a ZeuS-based malware.<\/p>\n<p>The payload is very similar to the malware described in this article and references under the name Sphinx (read more <a href=\"https:\/\/securityintelligence.com\/brazil-cant-catch-a-break-after-panda-comes-the-sphinx\/\" target=\"_blank\">here<\/a>). However, after consulting with other researchers (special thanks to <a class=\"account-group js-account-group js-action-profile js-user-profile-link js-nav\" href=\"https:\/\/twitter.com\/mesa_matt\" target=\"_blank\"><strong class=\"fullname js-action-profile-name show-popup-with-id\">Matthew Mesa<\/strong><\/a>), we got proven that the bot that is sold as Sphinx is very different (<a href=\"https:\/\/virustotal.com\/en\/file\/07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed\/analysis\/\" target=\"_blank\">sample<\/a>). Since there are many confusions about the naming, we decided to stick to the name Terdot Zloader\/Zbot.<\/p>\n<p>In this post we will have a look at the features and internals of this malware. As we will see, the dropped package consists not only of malicious files &#8211;\u00a0 but also legitimate applications, used for the malicious purpose.<\/p>\n<h3>Analyzed sample<\/h3>\n<p><a href=\"https:\/\/virustotal.com\/en\/file\/952418768f698fc731d52e06a9d25c45486ebc21f31586f025ebe98d6f998f66\/analysis\/\" target=\"_blank\">d45b8a20a991acd01d2ff63735fc1adf<\/a> &#8211; original executable #1<\/p>\n<p><a href=\"https:\/\/virustotal.com\/en\/file\/c4b894094c08ea234a2a2652f77383f4a22c5402918c330a7ad6f39520dcc53c\/analysis\/\" target=\"_blank\">950368afb934fd3fd5b2d4e6704b757b<\/a> &#8211; original executable #2<\/p>\n<p><a href=\"https:\/\/virustotal.com\/en\/file\/9ee649300ee66768afdb2b8866d504e802bd40fd8e4125667bb0f0e2bb6d339f\/analysis\/\" target=\"_blank\">fca092aca679edd9564d00e9640f939d<\/a> &#8211; original executable #3<\/p>\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/611d0954c55a7cb4471478763fe58aa791dc4bbf345d7b5a96808e6d1d264f96\/analysis\/\" target=\"_blank\">ae1d1f4597f76912d7bd9962b96eecbb<\/a> &#8211; loader (unpacked)\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/bd44645d62f634c5ca65b110b2516bdd22462f8b2f3957dbcd821fa5bdeb38a2\/analysis\/1483378919\/\" target=\"_blank\">268fd83403da27a80ab1a3cf9ac45b67<\/a> &#8211; payload.dll (injected into <em>explorer<\/em>)\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/f76e614723432398d1b7d2c4224728204b3bd9c5725e8200a925e8cbf349344c\/analysis\/1483379079\/\" target=\"_blank\">6c34779503414210378371d250a3a1af<\/a> &#8211; client32.dll (Zbot downloaded and injected into <em>msiexec, <\/em>and into browsers)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/virustotal.com\/en\/file\/7aa5318a4cf3534ee34f0c542620c03608a95040e8a44ac71150c8e48e6e7ddc\/analysis\/\" target=\"_blank\">f9373dc232028da52ad33b017e33bbd3<\/a> &#8211; original executable #4<\/p>\n<h3>Distribution<\/h3>\n<p>Most of the analyzed samples were dropped from <a class=\"twitter-hashtag pretty-link js-nav\" href=\"https:\/\/twitter.com\/jeromesegura\/status\/813807695337664512\" target=\"_blank\"><b>SundownEK<\/b><\/a>\u00a0 &#8211; some of the campaigns are described in details here: <a href=\"http:\/\/malware-traffic-analysis.net\/2016\/12\/28\/index.html\" target=\"_blank\">28 Dec 2016<\/a> , <a href=\"http:\/\/www.malware-traffic-analysis.net\/2017\/01\/06\/index2.html\" target=\"_blank\">6 Jan 2017<\/a>, and <a href=\"http:\/\/www.broadanalysis.com\/2017\/01\/18\/sundown-exploit-kit-from-88-99-41-189-and-93-190-143-185-delivers-terdot-a-zloader\/\" target=\"_blank\">18 Jan 2017<\/a>. However, we also encountered cases when the Terdot.A\/Zloader was dropped by the malicious email attachment.<\/p>\n<h3>Behavioral analysis<\/h3>\n<p>After the sample is run, we can see it deploying explorer and then terminating. It is easy to guess, that it injected some malicious modules there.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15837\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/expl-1.png\" alt=\"expl\" width=\"714\" height=\"54\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/expl-1.png 714w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/expl-1-300x23.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/expl-1-600x45.png 600w\" sizes=\"auto, (max-width: 714px) 100vw, 714px\" \/><\/p>\n<p>If we attach a debugger into the <em>explorer<\/em> process, we can see the injected shellcode, along with a new PE file (payload.dll). The interesting and unusual thing, typical for this Zloader is, that the DLL does not start at the beginning of the memory page, but after the shellcode:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16182\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/injected.png\" alt=\"\" width=\"705\" height=\"445\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/injected.png 705w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/injected-300x189.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/injected-600x379.png 600w\" sizes=\"auto, (max-width: 705px) 100vw, 705px\" \/><\/p>\n<p>If we have an internet connection, the Zloader will load the second stage (the main bot) and inject it into msiexec.exe.<\/p>\n<p>The injected module beacons to the CnC and downloads other modules. Observed patterns of the gates:<\/p>\n<pre>\/FE8hVs3\/gs98h.php  \/bdk\/gate.php<\/pre>\n<p>The communication is encrypted:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16188\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/gete.png\" alt=\"\" width=\"755\" height=\"673\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/gete.png 755w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/gete-300x267.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/gete-600x535.png 600w\" sizes=\"auto, (max-width: 755px) 100vw, 755px\" \/><\/p>\n<p>CnC responds with a new PE file &#8211; the module of the malware: (<em>client32.dll<\/em>). Downloader decrypts it in the memory and injects further: after a while we can see the <em>explorer<\/em> terminating and another program being deployed: <em>msiexec<\/em>. The initial malware executable is deleted.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15852\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/msiexec.png\" alt=\"msiexec\" width=\"760\" height=\"38\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/msiexec.png 760w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/msiexec-300x15.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/msiexec-600x30.png 600w\" sizes=\"auto, (max-width: 760px) 100vw, 760px\" \/><\/p>\n<p>Attaching debugger to <em>msiexec<\/em>, we can find the Zbot (<em>client32.dll<\/em>) implanted and running in the process space.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16184\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/msi_inject.png\" alt=\"\" width=\"685\" height=\"452\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/msi_inject.png 685w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/msi_inject-300x198.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/msi_inject-600x396.png 600w\" sizes=\"auto, (max-width: 685px) 100vw, 685px\" \/><\/p>\n<p>From inside of the injected module another internet connection is made, and some new elements are being downloaded and dropped (including legitimate applications like <em>certutil<\/em> and <em>php<\/em> &#8211; their role will be described further). The same <em>client32.dll<\/em> is also injected in browsers.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16185\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/browser_inj.png\" alt=\"\" width=\"769\" height=\"488\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/browser_inj.png 769w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/browser_inj-300x190.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/browser_inj-600x381.png 600w\" sizes=\"auto, (max-width: 769px) 100vw, 769px\" \/><\/p>\n<p>The module deployed inside msiexec.exe is used as a supervisor. It opens TCP sockets locally and communicates with the modules injected in browsers, in order to monitor opened pages.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16187\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/local_connections-1.png\" alt=\"\" width=\"453\" height=\"723\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/local_connections-1.png 453w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/local_connections-1-188x300.png 188w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/local_connections-1-376x600.png 376w\" sizes=\"auto, (max-width: 453px) 100vw, 453px\" \/><\/p>\n<h4>MitM<\/h4>\n<p>The main module of the bot downloads and drops some new elements into the %TEMP% folder. Surprisingly, those files are non-malware. We can see the <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc732443(v=ws.11).aspx\" target=\"_blank\">certutil<\/a> application (<a href=\"https:\/\/virustotal.com\/en\/file\/5950722034c8505daa9b359127feb707f16c37d2f69e79d16ee6d9ec37690478\/analysis\/1483499103\/\" target=\"_blank\">0c6b43c9602f4d5ac9dcf907103447c4<\/a>) along with it&#8217;s dependencies &#8211; legitimate DLLs.<\/p>\n<p>In the same folder, there is also some alien certificate (filename, as well as the name of the issuer is randomly generated).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16191\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/fake_cert_temp.png\" alt=\"\" width=\"709\" height=\"660\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/fake_cert_temp.png 709w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/fake_cert_temp-300x279.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/fake_cert_temp-600x559.png 600w\" sizes=\"auto, (max-width: 709px) 100vw, 709px\" \/><\/p>\n<p>The certificate is installed with the help of the <em>certutil<\/em>, for the purpose of Man-in-the-Middle attacks (in this case they are also called Man-in-the-browser).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16189\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/adding_cert.png\" alt=\"\" width=\"1129\" height=\"77\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/adding_cert.png 1129w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/adding_cert-300x20.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/adding_cert-600x41.png 600w\" sizes=\"auto, (max-width: 1129px) 100vw, 1129px\" \/><\/p>\n<p>Example &#8211; a command line deployed during tests:<\/p>\n<pre>\"C:UserstesterAppDataLocalTempcertutil.exe\"   -A -n \"otdarufyr\"   -t \"C,C,C\" -i \"C:UserstesterAppDataLocalTempnedea.crt\"   -d \"C:UserstesterAppDataRoamingMozillaFirefoxProfilesbe7dt337.default\"  <\/pre>\n<p>It is easy to guess that this malware targets web browsers. Indeed, if we run a browser and try to visit some site over HTTPS, we will see that the original certificates are replaced by the malicious one. See examples below &#8211; draw attention that the subject of the certificate contains the valid domain &#8211; only the <em>issuer<\/em> field can let us recognize, that the certificate is not legitimate:<\/p>\n<p>Satander MiTB on Firefox:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16198\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/satander_firefox.png\" alt=\"\" width=\"664\" height=\"386\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/satander_firefox.png 664w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/satander_firefox-300x174.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/satander_firefox-600x349.png 600w\" sizes=\"auto, (max-width: 664px) 100vw, 664px\" \/><\/p>\n<p>The browser claims that the connection\u00a0 is secure &#8211; but when we see the details, we can find, that the connection is &#8220;protected&#8221; by the fake certificate dropped by malware:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16199\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/satander_fake.png\" alt=\"\" width=\"662\" height=\"743\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/satander_fake.png 662w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/satander_fake-267x300.png 267w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/satander_fake-535x600.png 535w\" sizes=\"auto, (max-width: 662px) 100vw, 662px\" \/><\/p>\n<p>Facebook MiTB on InternetExplorer:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16194\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/fake_cert_facebook.png\" alt=\"\" width=\"588\" height=\"400\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/fake_cert_facebook.png 588w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/fake_cert_facebook-300x204.png 300w\" sizes=\"auto, (max-width: 588px) 100vw, 588px\" \/><\/p>\n<p>Browsers do not alert about any inconsistency &#8211; and the user who was not vigilant enough to check the details of the certificate, may easily get deceived&#8230;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16201\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/ie_facebook_ok.png\" alt=\"\" width=\"558\" height=\"462\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/ie_facebook_ok.png 558w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/ie_facebook_ok-300x248.png 300w\" sizes=\"auto, (max-width: 558px) 100vw, 558px\" \/><\/p>\n<p>If we attach a debbugger into the running browser, we can see that the same <em>client32.dll<\/em> is injected there &#8211; along with some more code used for API redirections.<\/p>\n<h4>Persistence<\/h4>\n<p>In addition to the content dropped in %TEMP%, we can see some new folders with random names created in %APPDATA%:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15845\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped_folders_roaming.png\" alt=\"dropped_folders_roaming\" width=\"594\" height=\"375\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped_folders_roaming.png 594w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped_folders_roaming-300x189.png 300w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><\/p>\n<p>Interesting fact is that one of them contains legitimate php.exe (see on VirusTotal: <a href=\"https:\/\/virustotal.com\/en\/file\/0ea0dbcbf78a85b47ec9c98c1fd7c8ff9a71a9986cd6fcf953a1b2f15609d349\/analysis\/\" target=\"_blank\">php.exe<\/a>, <a href=\"https:\/\/virustotal.com\/en\/file\/018e13cab4c50261776dc7f641f1c3dd1000cafa21759bac221765663efce806\/analysis\/\" target=\"_blank\">php5ts.dll<\/a>).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15846\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped_php.png\" alt=\"dropped_php\" width=\"606\" height=\"165\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped_php.png 606w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped_php-300x82.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped_php-600x163.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped_php-604x165.png 604w\" sizes=\"auto, (max-width: 606px) 100vw, 606px\" \/><\/p>\n<p>&#8230;and some obfuscated php code:<\/p>\n<style>.gist table { margin-bottom: 0; }<\/style>\n<div class=\"gist-oembed\" data-gist=\"hasherezade\/1952374847712805c4f7199b7423dd27.json?file=script.php\"><\/div>\n<p>(Formatted version <a href=\"https:\/\/gist.github.com\/hasherezade\/1952374847712805c4f7199b7423dd27#file-formated-php\" target=\"_blank\">here<\/a>).<\/p>\n<p>Other folders contains some encrypted data, i.e.:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15847\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped_encrypted.png\" alt=\"dropped_encrypted\" width=\"646\" height=\"591\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped_encrypted.png 646w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped_encrypted-300x274.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/dropped_encrypted-600x549.png 600w\" sizes=\"auto, (max-width: 646px) 100vw, 646px\" \/><\/p>\n<p>Interestingly, this php package is referenced at autostart:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15882\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/startup_method.png\" alt=\"startup_method\" width=\"892\" height=\"46\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/startup_method.png 892w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/startup_method-300x15.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/startup_method-600x31.png 600w\" sizes=\"auto, (max-width: 892px) 100vw, 892px\" \/><\/p>\n<p>Link deploys the dropped php application and runs the script, that we saw before:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15883\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/php_startup.png\" alt=\"php_startup\" width=\"603\" height=\"474\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/php_startup.png 603w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/php_startup-300x236.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/php_startup-600x472.png 600w\" sizes=\"auto, (max-width: 603px) 100vw, 603px\" \/><\/p>\n<p>We can easily suspect that this is a method of persistence. Deobfuscating the PHP code confirms this guess. See the same code after cleanup:<\/p>\n<style>.gist table { margin-bottom: 0; }<\/style>\n<div class=\"gist-oembed\" data-gist=\"hasherezade\/1952374847712805c4f7199b7423dd27.json?file=deobfuscated.php\"><\/div>\n<p>As we can notice, the file <em>royxh.umh<\/em> contains encrypted code of the malware. Using the presented PHP script it is decrypted back into the Zloader executable:<\/p>\n<p><a href=\"https:\/\/virustotal.com\/en\/file\/9ee649300ee66768afdb2b8866d504e802bd40fd8e4125667bb0f0e2bb6d339f\/analysis\/\" target=\"_blank\">fca092aca679edd9564d00e9640f939d<\/a><\/p>\n<p>The dropped file is run and then deleted.<\/p>\n<h3>Inside<\/h3>\n<h4>Zloader &#8211; <em>payload.dll<\/em><\/h4>\n<p>This element &#8211; unpacked from the initial sample and injected into <em>explorer.exe<\/em> &#8211; is a downloader &#8211; identified as <strong>Terdot.A\/Zloader<\/strong>. It is responsible for connecting with the CnC and downloading the main malicious module, that is the Zbot.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15853\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/payl_lay.png\" alt=\"payl_lay\" width=\"829\" height=\"462\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/payl_lay.png 829w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/payl_lay-300x167.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/payl_lay-600x334.png 600w\" sizes=\"auto, (max-width: 829px) 100vw, 829px\" \/><\/p>\n<h4>Zbot &#8211; <em>client32.dll<br \/> <\/em><\/h4>\n<p>The second stage is also a DLL &#8211; this time it is injected into <em>msiexec.exe<\/em> as well as into browsers:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15859\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/our_zbot.png\" alt=\"our_zbot\" width=\"844\" height=\"393\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/our_zbot.png 844w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/our_zbot-300x140.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/our_zbot-600x279.png 600w\" sizes=\"auto, (max-width: 844px) 100vw, 844px\" \/><\/p>\n<h4>Attacked targets<em><br \/> <\/em><\/h4>\n<p>The bot injects itself into the most popular browsers, in order to hook their API:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15878\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/search_browser.png\" alt=\"search_browser\" width=\"727\" height=\"416\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/search_browser.png 727w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/search_browser-300x172.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/search_browser-600x343.png 600w\" sizes=\"auto, (max-width: 727px) 100vw, 727px\" \/><\/p>\n<p>It excludes from the attack computers with Russian language installed &#8211; but instead of doing it silently, like most of the malware &#8211; it is very openly announcing this fact:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15854\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/ru_not_supported.png\" alt=\"ru_not_supported\" width=\"466\" height=\"485\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/ru_not_supported.png 466w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/ru_not_supported-288x300.png 288w\" sizes=\"auto, (max-width: 466px) 100vw, 466px\" \/><\/p>\n<h5>The SQL part<\/h5>\n<p>Inside the bot we can find references to an SQL release from the end of 2016 (see <a href=\"https:\/\/www.sqlite.org\/releaselog\/3_15_1.html\" target=\"_blank\">SQLite Release 3.15.1 On 2016-11-04<\/a>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15866\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/sql_str.png\" alt=\"sql_str\" width=\"822\" height=\"53\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/sql_str.png 822w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/sql_str-300x19.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/sql_str-600x39.png 600w\" sizes=\"auto, (max-width: 822px) 100vw, 822px\" \/><\/p>\n<pre>2016-11-04 12:08:49 1136863c76576110e710dd5d69ab6bf347c65e36  <\/pre>\n<p>Presence of those references confirms, that the bot is pretty new, and probably under active development.<\/p>\n<p>We can also see many SQL queries and related error messages among the strings:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15868\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/queries-1.png\" alt=\"queries\" width=\"955\" height=\"647\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/queries-1.png 955w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/queries-1-300x203.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/queries-1-600x406.png 600w\" sizes=\"auto, (max-width: 955px) 100vw, 955px\" \/><\/p>\n<p>They are used to read and manipulate browser cookies, that are stored in form of SQLite databases.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15869\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/cookies_manipulate.png\" alt=\"cookies_manipulate\" width=\"882\" height=\"289\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/cookies_manipulate.png 882w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/cookies_manipulate-300x98.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/cookies_manipulate-600x197.png 600w\" sizes=\"auto, (max-width: 882px) 100vw, 882px\" \/><\/p>\n<p>Queries deployed:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15870\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/queries_deployed.png\" alt=\"queries_deployed\" width=\"977\" height=\"525\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/queries_deployed.png 977w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/queries_deployed-300x161.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/queries_deployed-600x322.png 600w\" sizes=\"auto, (max-width: 977px) 100vw, 977px\" \/><\/p>\n<h5>Man-in-the-Browser<\/h5>\n<p>The main module injected into <em>msiexec<\/em> opens local TCP sockets that are used to communicate with the module injected into browser.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16195\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/tcp_socket.png\" alt=\"\" width=\"602\" height=\"145\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/tcp_socket.png 602w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/tcp_socket-300x72.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/tcp_socket-600x145.png 600w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<p>All the communication between the browser and particular website is first bypassed by client32.dll injected into msiexec.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16196\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/spy_facebook.png\" alt=\"\" width=\"903\" height=\"567\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/spy_facebook.png 903w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/spy_facebook-300x188.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/spy_facebook-600x377.png 600w\" sizes=\"auto, (max-width: 903px) 100vw, 903px\" \/><\/p>\n<p>Like many Zbots, Terdot not only spy but also allows to modify the displayed content, by &#8220;WebInjects&#8221; and &#8220;WebFakes&#8221;.<\/p>\n<p>Sites that are going to be hooked are specified by configuration. Example of the target list from one of the samples shows, that the main interest of the attackers are various banks: <a href=\"https:\/\/gist.github.com\/hasherezade\/4db462af582c079b0ffa059b1fd2c465#file-targets-txt\" target=\"_blank\">https:\/\/gist.github.com\/hasherezade\/4db462af582c079b0ffa059b1fd2c465#file-targets-txt<\/a><\/p>\n<p>Webinjects are implemented by adding malicious scripts (specialized for a specific target) into the content of the website. The scripts are hosted on the server controlled by attackers. Sample list of the scripts, fetched by the bot during tests:<\/p>\n<style>.gist table { margin-bottom: 0; }<\/style>\n<div class=\"gist-oembed\" data-gist=\"hasherezade\/4db462af582c079b0ffa059b1fd2c465.json?file=injects.txt\"><\/div>\n<p>Those java scripts are implanted into the the attacked site before it is displayed in the browser &#8211; along with some more, obfuscated code. Templates of such implants are downloaded from the CnC server. You can see some examples <a href=\"https:\/\/gist.github.com\/hasherezade\/d06c4235e2ef3eda716ea68ea17c0407\" target=\"_blank\">here<\/a>.<\/p>\n<h3>Conclusion<\/h3>\n<p>Terdot is yet another bot based on Zeus. Feature-wise it is similar to other bankers. However, I think it deserved some attention because of it&#8217;s recent popularity. It has been prepared with attention to details, so we may suspect that it is a work of professionals. It is actively developed, distributed and maintained &#8211; so, the probability is high, that we will be seeing it more in the future.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/zbot-with-legitimate-applications-on-board\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/zbot-with-legitimate-applications-on-board\/' title='Zbot with legitimate applications on board'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2015\/05\/photodune-2679907-http-s.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Recently, among the payloads delivered by exploit kits, we often find Terdot.A\/Zloader &#8211; a downloader installing on the victim machine a ZeuS-based malware.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/malware\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/banker\/\" rel=\"tag\">banker<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/banking-malware\/\" rel=\"tag\">banking malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/terdot\/\" rel=\"tag\">terdot<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/zbot\/\" rel=\"tag\">zbot<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/zeus-malware\/\" rel=\"tag\">Zeus malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/zloader\/\" rel=\"tag\">Zloader<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/zbot-with-legitimate-applications-on-board\/' title='Zbot with legitimate applications on board'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[1763,11100,4503,3764,11101,10494,11102,11103,11104],"class_list":["post-6400","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-banker","tag-banking-malware","tag-cybercrime","tag-malware","tag-terdot","tag-threat-analysis","tag-zbot","tag-zeus-malware","tag-zloader"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6400","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6400"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6400\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6400"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}