ThreatSTOP Blog

Zloader/Terdot – That Man in the Middle

Written by ThreatSTOP Security Team | July 21, 2017

The ZeuS malware family was first seen in July 2007, and is the poster child for long-lasting bots. Zbot, one of the aliases of ZeuS, has a familial relation to Terdot. When ZeuS's source code leaked in 2011 bad actors jumped at the chance to start updating its capabilities based on their campaigns. One of these offspring was Terdot. MalwareBytes has made a study of the ZeuS family, and have noted a recent increase in Terdot/Zloader infections.

Zloader acts as the loader for Zbot, its attack vector for its current campaign is through phishing, or dropping by SunDown EK. Once the initial component of Zloader runs, it deploys Windows Explorer (explorer.exe) and injects shellcode along with a new Portable Executable (PE) file containing payload.dll. In turn, with Internet access available, enables Zloader to download Zbot and other modules.

One of the main objectives of this campaign is to setup Man-In-The-Middle (MITM) attacks. Using legitimate files and applications, such as certutil, the malware installs a fake SSL certificate. This replaces a legitimate certificate used when communicating with a site via HTTPS. The user is not notified by the browser - as it can't detect the change - and the compromise is only detected during an active search.

The malware is being targeted at financial institutes and banks according to scmagazine.com. Whom determined this by an encoded target list in the malware's payload.

Enabling the TSCritical targets in your user policy will add protection against Zloader/Terdot to your ThreatSTOP DNS and IP Firewall Services. If you do not have a ThreatSTOP account  for a free trial.

If you have a ThreatSTOP account, instructions to add targets to DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our  team.