The downloader Terdot Zloader and its accompanying Zbot banking trojan payload combine to abuse a legitimate certificate application to spy on users and modify web content via man-in-the-middle (MITM) attacks against browsers, an independent security researcher has reported after conducting an in-depth code analysis.

Zbot, an offspring of the Zeus banking trojan, appears to be the same program as the Sphinx malware previously reported by IBM's X-Force threat intelligence team, according to Poland-based researcher hasherezade, in a guest blog post for Malwarebytes. Over Twitter, hasherezade told SC Media that a fellow researcher informed her that the software dates back to 2015 and is also referred to as DEloader. (hasherezade also told SC Media that there is another malware on the black market that also referred to as Sphinx, but is not affiliated with this particular Zbot.)

The malware's encoded target website list reveals a clear interest on the malware distributors' part in targeting websites operated by banks and other financial institutions – many based in the UK – including Barclays, HSBC and PayPal.

Commonly distributed via the Sundown exploit kit, the Terdot Zloader/Zbot combination starts with an initial DLL-based (dynamic link library) downloader component that is injected into the code for Windows Program Manager. It is responsible for connecting with a command-and-control server and downloading the main malicious module.

The latter module is another DLL-based bot component that is injected into Microsoft's Windows Installer program as well as the victim machine's browsers. This Zbot module is capable of opening local TCP sockets that are used to facilitate communication between the browser and websites. This gives the malware the ability to carry out man-in-the-browser attacks (a variation of MITM) that display malicious or fraudulent content to victims in the form of webinjects and webfakes. (Often these tactics are used to trick site visitors into divulging personal or financial data.)

The main module also drops additional legitimate programs that it uses for malicious purposes. Specifically, it downloads a Microsoft "certutil" program to generate and install phony security certificates that claim the connection between the browser and website is secure, when it is in fact not. “Indeed, if we run a browser and try to visit some site over HTTPS, we will see that the original certificates are replaced by the malicious one,” writes hasherezade in the blog post. The domain listed on the fake certificate is legit; but upon closer inspection, the listed issuer is fictional.