Zeus malware resurfaces as Zbot/Terdot, integrates legitimate apps

News by Rene Millman

Malware contains genuine apps used for nefarious purposes

A variant of the Zeus malware, the source code of which was leaked in 2011, has reappeared as new malware containing legitimate applications.

According to a security researcher known as Hasherezade, the malware uses legitimate apps for malicious purposes.

In a blog post, she said that systems have been infected with Zbot via the Sundown exploit kit as well as malicious email attachments.

She added that usually for malware, a payload DLL “does not start at the beginning of the memory page, but after the shellcode”. If an internet connection is detected, the Zloader will load the second stage (the main bot) and inject it into msiexec.exe. injected module beacons to the CnC and downloads other modules.

“CnC responds with a new PE file – the module of the malware: (client32.dll). Downloader decrypts it in the memory and injects further: after a while we can see the explorer terminating and another program being deployed: msiexec. The initial malware executable is deleted,” said Hasherezade.

She said the main module of the bot downloads and drops some new elements into the temp folder. 

“Surprisingly, those files are non-malware. We can see the certutil application along with it's dependencies – legitimate DLLs,” she said. There are also some fake certificates planted in the same folder with the help of the certutil application. This is to allow the malware to carry out man-in-the-middle attacks.

“It is easy to guess that this malware targets web browsers. Indeed, if we run a browser and try to visit some site over HTTPS, we will see that the original certificates are replaced by the malicious one. See examples below – draw attention that the subject of the certificate contains the valid domain – only the issuer field can let us recognise, that the certificate is not legitimate,” said Hasherezade.

She added that browsers do not alert about any inconsistency around the certificates and any user who was not vigilant enough to check the details of the certificate, may easily be deceived.

The malware also uses the legitimate application php.exe and php5ts.dll, as well as some obfuscated php code. The php application decrypts a file and this becomes the Zloader executable.

Interestingly, the malware is programmed to avoid attacking computers with Russian language packs installed. The malware can also use SQL queries to read and manipulate browser cookies stored in form of SQLite databases.

The security researcher said that the malware had been prepared with attention to details, and she suspected that it is a work of professionals. “It is actively developed, distributed and maintained – so, the probability is high, that we will be seeing it more in the future,” she said.

Fraser Kyne, EMEA CTO at Bromium, told SC Media UK that malware authors will often return to old models and methods, as they continually morph their attacks for greater effect.

“It's about attacking with something unsuspected; and knowing that people are so busy focusing on new threats that perhaps they start to neglect older ones. We often see trends from the past come back, such as the re-emergence of macro-based malware attacks in documents in 2016,” he said.

He added there could be a number of reasons why malware sometimes contains legitimate applications.

“In some instances, it can help to mask the malicious intent behind an attack. If the user sees that an application they trust has been installed, they're probably a little less likely to realise it was an attack or question it any further. However, hackers could also be using it as a means of installing a backdoor that won't be detected by antivirus software.

“Vulnerabilities present in some applications can be exploited with code-injection attacks, so hackers could potentially be including legitimate software with known exploits, with the intent of using that as a hidden entry-point onto the user device at a later date.” 

Andy Norton, risk officer EMEA at SentinelOne, told SC  that as the malware contains legitimate applications it could be classified as a white file attack.

“A legitimate program php.exe is installed onto the system, and runs a script file that delivers Zbot, Zbot is then injected into the victim's other legitimate processes. This reduces the number of distinctive files used for maliciousness and in doing so, reduces the chances of detection,” he said.

“What the attackers are not able to change is what Zbot is used for and how it behaves,  so if you instrument the endpoint and monitor for behaviours, regardless of what files or even lack of files cause, the malicious activity it will still be stopped.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews