In the same folder, there is also some alien certificate (filename, as well as the name of the issuer is randomly generated).The certificate is installed with the help of the "C:\Users\tester\App Data\Local\Temp\certutil.exe" -A -n "otdarufyr" -t "C, C, C" -i "C:\Users\tester\App Data\Local\Temp\nedea.crt" -d "C:\Users\tester\App Data\Roaming\Mozilla\Firefox\Profiles\be7dt337.default" It is easy to guess that this malware targets web browsers.Recently, among the payloads delivered by exploit kits, we often find Terdot.
If we attach a debbugger into the running browser, we can see that the same is injected there – along with some more code used for API redirections.
In addition to the content dropped in %TEMP%, we can see some new folders with random names created in %APPDATA%: Interesting fact is that one of them contains legitimate (see on Virus Total: php.exe, php5ts.dll).
If we attach a debugger into the process, we can see the injected shellcode, along with a new PE file (payload.dll).
The interesting and unusual thing, typical for this Zloader is, that the DLL does not start at the beginning of the memory page, but after the shellcode: If we have an internet connection, the Zloader will load the second stage (the main bot) and inject it into
Since there are many confusions about the naming, we decided to stick to the name Terdot Zloader/Zbot.
In this post we will have a look at the features and internals of this malware.Example of the target list from one of the samples shows, that the main interest of the attackers are various banks: https://gist.github.com/hasherezade/4db4s-txt Webinjects are implemented by adding malicious scripts (specialized for a specific target) into the content of the website.The scripts are hosted on the server controlled by attackers. However, I think it deserved some attention because of it’s recent popularity.From inside of the injected module another internet connection is made, and some new elements are being downloaded and dropped (including legitimate applications like is also injected in browsers.The module deployed inside is used as a supervisor.Queries deployed: The main module injected into opens local TCP sockets that are used to communicate with the module injected into browser.