As part of my work at Vincss, I wrote an article about Zloader — “[RE026] A Deep Dive into Zloader — the Silent Night”.
Zloader, a notorious banking trojan also known as Terdot or Zbot. This trojan was first discovered in 2016, and over time its distribution number has also continuously increased. The Zloader’s code is said to be built on the leaked source code of the famous ZeuS malware. In 2011, when source code of ZeuS was made public and since then, it has been used in various malicious code samples.
Zloader has all the standard functionality of a trojan such as being able to fetch information from browsers, stealing cookies and passwords, capturing screenshots, etc. and for making analysis difficult, it applies advanced techniques, including code obfuscation and string encryption, masking Windows APIs call. Recently, CheckPoint expert published an analysis of a Zloader distribution campaign whereby the infection exploited Microsoft’s digital signature checking process. In addition, Zloader has also recently partnered with different ransomware gangs are Ryuk and Egregor.
Most recently, multiple telecommunication providers and cybersecurity firms worldwide partnered with Microsoft’s security researchers throughout the investigative effort, including ESET, Black Lotus Labs, Palo Alto Networks’ Unit 42, and Avast. They took legal and technical steps to disrupt the ZLoader botnet, seizing control of 65 domains that were used to control and communicate with the infected hosts.
My deep dive will provide detailed analysis and techniques that Zloader uses, including:
- How to unpack to dump Zloader Core Dll.
- The technique that Zloader makes difficult as well as time consuming in the analysis process.
- Decrypt strings used by Zloader by using both IDAPython and AppCall methods.
- Apply AppCall to recover the Windows API calls.
- Process Injection technique that Zloader uses to inject into the msiexec.exe process.
- Decrypt configuration information related to C2s addresses.
Read full my research here!!!
