{ "id": "63d12849-640f-44ae-bd82-700b573429b4", "created_at": "2026-04-06T00:19:41.807722Z", "updated_at": "2026-04-10T03:28:39.994292Z", "deleted_at": null, "sha1_hash": "be4ed27df3189c0dc60800027c589af61d7463e0", "title": "Zbot with legitimate applications on board | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 829219, "plain_text": "Zbot with legitimate applications on board | Malwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2017-01-25 · Archived: 2026-04-02 12:23:55 UTC\r\nSource code of the infamous ZeuS malware leaked in 2011. Since that time, many cybercriminals has adopted it\r\nand augmented with their own ideas. Recently, among the payloads delivered by exploit kits, we often find\r\nTerdot.A/Zloader – a downloader installing on the victim machine a ZeuS-based malware.\r\nThe payload is very similar to the malware described in this article and referenced under the name Sphinx.\r\nHowever, after consulting with other researchers (special thanks to ), we got proven that the bot that is sold as\r\nSphinx is very different (sample). Since there are many confusions about the naming, we decided to stick to the\r\nname Terdot Zloader/Zbot.\r\nIn this post we will have a look at the features and internals of this malware. As we will see, the dropped package\r\nconsists not only of malicious files –  but also legitimate applications, used for the malicious purpose.\r\nAnalyzed sample\r\nd45b8a20a991acd01d2ff63735fc1adf – original executable #1\r\n950368afb934fd3fd5b2d4e6704b757b – original executable #2\r\nfca092aca679edd9564d00e9640f939d – original executable #3\r\nae1d1f4597f76912d7bd9962b96eecbb – loader (unpacked)\r\n268fd83403da27a80ab1a3cf9ac45b67 – payload.dll (injected into explorer)\r\n6c34779503414210378371d250a3a1af – client32.dll (Zbot downloaded and injected into\r\nmsiexec, and into browsers)\r\nf9373dc232028da52ad33b017e33bbd3 – original executable #4\r\nDistribution\r\nMost of the analyzed samples were dropped from SundownEK  – some of the campaigns are described in details\r\nhere: 28 Dec 2016 , 6 Jan 2017, and 18 Jan 2017. However, we also encountered cases when the Terdot.A/Zloader\r\nwas dropped by the malicious email attachment.\r\nBehavioral analysis\r\nAfter the sample is run, we can see it deploying explorer and then terminating. It is easy to guess, that it injected\r\nsome malicious modules there.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 1 of 18\n\nIf we attach a debugger into the explorer process, we can see the injected shellcode, along with a new PE file\r\n(payload.dll). The interesting and unusual thing, typical for this Zloader is, that the DLL does not start at the\r\nbeginning of the memory page, but after the shellcode:\r\nIf we have an internet connection, the Zloader will load the second stage (the main bot) and inject it into\r\nmsiexec.exe.\r\nThe injected module beacons to the CnC and downloads other modules. Observed patterns of the gates:\r\n/FE8hVs3/gs98h.php /bdk/gate.php\r\nThe communication is encrypted:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 2 of 18\n\nCnC responds with a new PE file – the module of the malware: (client32.dll). Downloader decrypts it in the\r\nmemory and injects further: after a while we can see the explorer terminating and another program being\r\ndeployed: msiexec. The initial malware executable is deleted.\r\nAttaching debugger to msiexec, we can find the Zbot (client32.dll) implanted and running in the process space.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 3 of 18\n\nFrom inside of the injected module another internet connection is made, and some new elements are being\r\ndownloaded and dropped (including legitimate applications like certutil and php – their role will be described\r\nfurther). The same client32.dll is also injected in browsers.\r\nThe module deployed inside msiexec.exe is used as a supervisor. It opens TCP sockets locally and communicates\r\nwith the modules injected in browsers, in order to monitor opened pages.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 4 of 18\n\nMitM\r\nThe main module of the bot downloads and drops some new elements into the %TEMP% folder.\r\nSurprisingly, those files are non-malware. We can see the\r\nIn the same folder, there is also some alien certificate (filename, as well as the name of the issuer is randomly\r\ngenerated).\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 5 of 18\n\nThe certificate is installed with the help of the certutil, for the purpose of Man-in-the-Middle attacks (in such\r\ncases they are also called Man-in-the-Browser).\r\nExample – a command line deployed during tests:\r\n\"C:UserstesterAppDataLocalTempcertutil.exe\" -A -n \"otdarufyr\" -t \"C,C,C\" -i \"C:UserstesterAppDataLo\r\nIt is easy to guess that this malware targets web browsers. Indeed, if we run a browser and try to visit some site\r\nover HTTPS, we will see that the original certificates are replaced by the malicious one. See examples below –\r\ndraw attention that the subject of the certificate contains the valid domain – only the issuer field can let us\r\nrecognize, that the certificate is not legitimate:\r\nSatander MitB on Firefox:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 6 of 18\n\nThe browser claims that the connection  is secure – but when we see the details, we can find, that the connection is\r\n“protected” by the fake certificate dropped by the malware:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 7 of 18\n\nFacebook MitB on InternetExplorer:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 8 of 18\n\nBrowsers do not alert about any inconsistency – and the user who was not vigilant enough to check the details of\r\nthe certificate, may easily get deceived…\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 9 of 18\n\nIf we attach a debbugger into the running browser, we can see that the same client32.dll is injected there – along\r\nwith some more code used for API redirections.\r\nPersistence\r\nIn addition to the content dropped in %TEMP%, we can see some new folders with random names created in\r\n%APPDATA%:\r\nInteresting fact is that one of them contains legitimate php.exe (see on VirusTotal: php.exe, php5ts.dll).\r\n…and some obfuscated php code:\r\nhttps://gist.github.com/hasherezade/1952374847712805c4f7199b7423dd27#file-script-php\r\n(Formatted version here).\r\nOther folders contains some encrypted data, i.e.:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 10 of 18\n\nInterestingly, this php package is referenced at autostart:\r\nLink deploys the dropped php application and runs the script, that we saw before:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 11 of 18\n\nWe can easily suspect that this is a method of persistence. Deobfuscating the PHP code confirms this guess. See\r\nthe same code after cleanup:\r\nhttps://gist.github.com/hasherezade/1952374847712805c4f7199b7423dd27#file-deobfuscated-php\r\nAs we can notice, the file royxh.umh contains encrypted code of the malware. Using the presented PHP script it is\r\ndecrypted back into the Zloader executable:\r\nfca092aca679edd9564d00e9640f939d\r\nThe dropped file is run and then deleted.\r\nInside\r\nZloader – payload.dll\r\nThis element – unpacked from the initial sample and injected into explorer.exe – is a downloader – identified as\r\nTerdot.A/Zloader. It is responsible for connecting with the CnC and downloading the main malicious module,\r\nthat is the Zbot.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 12 of 18\n\nZbot – client32.dll\r\nThe second stage is also a DLL – this time it is injected into msiexec.exe as well as into browsers:\r\nAttacked targets\r\nThe bot injects itself into the most popular browsers, in order to hook their API:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 13 of 18\n\nIt excludes from the attack computers with Russian language installed – but instead of doing it silently, like most\r\nof the malware – it is very openly announcing this fact:\r\nThe SQL part\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 14 of 18\n\nInside the bot we can find references to an SQL release from the end of 2016 (see\r\n2016-11-04 12:08:49 1136863c76576110e710dd5d69ab6bf347c65e36\r\nPresence of those references confirms, that the bot is pretty new, and probably under active\r\ndevelopment.\r\nWe can also see many SQL queries and related error messages among the strings:\r\nThey are used to read and manipulate browser cookies, that are stored in form of SQLite databases.\r\nQueries deployed:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 15 of 18\n\nMan-in-the-Browser\r\nThe main module injected into msiexec opens local TCP sockets that are used to communicate with\r\nthe module injected into browser.\r\nAll the communication between the browser and particular website is first bypassed by client32.dll injected into\r\nmsiexec.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 16 of 18\n\nLike many Zbots, Terdot not only spy but also allows to modify the displayed content, by “WebInjects” and\r\n“WebFakes”.\r\nSites that are going to be hooked are specified by configuration. Example of the target list from one of the samples\r\nshows, that the main interest of the attackers are various banks:\r\nhttps://gist.github.com/hasherezade/4db462af582c079b0ffa059b1fd2c465#file-targets-txt\r\nWebinjects are implemented by adding malicious scripts (specialized for a specific target) into the content of the\r\nwebsite. The scripts are hosted on the server controlled by attackers. Sample list of the scripts, fetched by the bot\r\nduring tests: https://gist.github.com/hasherezade/4db462af582c079b0ffa059b1fd2c465#file-injects-txt Those java\r\nscripts are implanted into the the attacked site before it is displayed in the browser – along with some more,\r\nobfuscated code. Templates of such implants are downloaded from the CnC server. You can see some examples\r\nhere.\r\nConclusion\r\nTerdot is yet another bot based on Zeus. Feature-wise it is similar to other bankers. However, I think it deserved\r\nsome attention because of it’s recent popularity. It has been prepared with attention to details, so we may suspect\r\nthat it is a work of professionals. It is actively developed, distributed and maintained – so, the probability is high,\r\nthat we will be seeing it more in the future.\r\nThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves going in details about malware and sharing threat information with the community. Check\r\nher out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 17 of 18\n\nSource: https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nhttps://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/" ], "report_names": [ "zbot-with-legitimate-applications-on-board" ], "threat_actors": [ { "id": "e90ec9cb-9959-455d-b558-4bafef64d645", "created_at": "2022-10-25T16:07:24.222081Z", "updated_at": "2026-04-10T02:00:04.903184Z", "deleted_at": null, "main_name": "Sphinx", "aliases": [ "APT-C-15" ], "source_name": "ETDA:Sphinx", "tools": [ "AnubisSpy", "Backdoor.Oldrea", "Bladabindi", "Fertger", "Havex", "Havex RAT", "Jorik", "Oldrea", "PEACEPIPE", "njRAT", "yellowalbatross" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434781, "ts_updated_at": 1775791719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/be4ed27df3189c0dc60800027c589af61d7463e0.pdf", "text": "https://archive.orkl.eu/be4ed27df3189c0dc60800027c589af61d7463e0.txt", "img": "https://archive.orkl.eu/be4ed27df3189c0dc60800027c589af61d7463e0.jpg" } }