1. Overview
Zloader,
a notorious banking trojan also known as Terdot
or Zbot. This trojan was first
discovered in 2016, and over time its distribution number has also continuously
increased. The Zloader's code is said to be built on the leaked source code of
the famous ZeuS malware. In 2011, when source code of ZeuS was made public and
since then, it has been used in various malicious code samples.
Zloader
has all the standard functionality of a trojan such as being able to fetch
information from browsers, stealing cookies and passwords, capturing
screenshots, etc. and for making analysis difficult, it applies advanced
techniques, including code obfuscation and string encryption, masking Windows
APIs call. Recently, CheckPoint expert published an analysis of a Zloader distribution campaign whereby the infection
exploited Microsoft's digital signature checking process. In addition, Zloader
has also recently partnered with different ransomware gangs are Ryuk and Egregor. This can indicate that the actors behind this malware are still
looking for different ways to upgrade it to bypass the defenses. Here is the
ranking of Zloader according to the rating from the AnyRun site:
Most
recently, multiple telecommunication providers and cybersecurity firms
worldwide partnered with Microsoft's security researchers throughout the
investigative effort, including ESET, Black Lotus Labs, Palo Alto Networks'
Unit 42, and Avast. They took legal and technical steps to disrupt the ZLoader botnet, seizing control of 65 domains that were used to control
and communicate with the infected hosts.
In
this article, we will provide detailed analysis and techniques that Zloader
uses, including:
- How
to unpack to dump Zloader Core Dll.
- The
technique that Zloader makes difficult as well as time consuming in the
analysis process.
- Decrypt
strings used by Zloader by using both IDAPython and AppCall methods.
- Apply
AppCall to recover the Windows API calls.
- Process
Injection technique that Zloader uses to inject into the msiexec.exe
process.
- Decrypt
configuration information related to C2s addresses.
- How
Zloader collects and saves information in the Registry.
- The
Persistence technique.
The
analyzed sample used in the article: 034f61d86de99210eb32a2dca27a3ad883f54750c46cdec4fcc53050b2f716eb