Threat Management, Malware, Network Security

Terdot Zloader/Zbot combo abuses certificate app to pull off MITM browser attacks

The downloader Terdot Zloader and its accompanying Zbot banking trojan payload combine to abuse a legitimate certificate application to spy on users and modify web content via man-in-the-middle (MITM) attacks against browsers, an independent security researcher has reported after conducting an in-depth code analysis.

Zbot, an offspring of the Zeus banking trojan, appears to be the same program as the Sphinx malware previously reported by IBM's X-Force threat intelligence team, according to Poland-based researcher hasherezade, in a guest blog post for Malwarebytes. Over Twitter, hasherezade told SC Media that a fellow researcher informed her that the software dates back to 2015 and is also referred to as DEloader. (hasherezade also told SC Media that there is another malware on the black market that also referred to as Sphinx, but is not affiliated with this particular Zbot.)

The malware's encoded target website list reveals a clear interest on the malware distributors' part in targeting websites operated by banks and other financial institutions – many based in the UK – including Barclays, HSBC and PayPal.

Commonly distributed via the Sundown exploit kit, the Terdot Zloader/Zbot combination starts with an initial DLL-based (dynamic link library) downloader component that is injected into the code for Windows Program Manager. It is responsible for connecting with a command-and-control server and downloading the main malicious module.

The latter module is another DLL-based bot component that is injected into Microsoft's Windows Installer program as well as the victim machine's browsers. This Zbot module is capable of opening local TCP sockets that are used to facilitate communication between the browser and websites. This gives the malware the ability to carry out man-in-the-browser attacks (a variation of MITM) that display malicious or fraudulent content to victims in the form of webinjects and webfakes. (Often these tactics are used to trick site visitors into divulging personal or financial data.)

The main module also drops additional legitimate programs that it uses for malicious purposes. Specifically, it downloads a Microsoft "certutil" program to generate and install phony security certificates that claim the connection between the browser and website is secure, when it is in fact not. “Indeed, if we run a browser and try to visit some site over HTTPS, we will see that the original certificates are replaced by the malicious one,” writes hasherezade in the blog post. The domain listed on the fake certificate is legit; but upon closer inspection, the listed issuer is fictional.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.