win.zloader (Back to overview)

Zloader

aka: Terdot, DELoader
URLhaus      

This family describes the (initially small) loader, which downloads Zeus OpenSSL.

In June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.
The initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

References
2018-09-06 ⋅ int 0xcc blogRaashid Bhat
@online{bhat:20180906:dissecting:8c82fb5, author = {Raashid Bhat}, title = {{Dissecting DEloader malware with obfuscation}}, date = {2018-09-06}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware}, language = {English}, urldate = {2020-01-06} } Dissecting DEloader malware with obfuscation
Zloader
2017-06-15 ⋅ Limor Kessem
@online{kessem:20170615:zeus:7c4b8e4, author = {Limor Kessem}, title = {{Zeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking?}}, date = {2017-06-15}, url = {https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/}, language = {English}, urldate = {2019-12-02} } Zeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking?
Zloader
2017-01-26 ⋅ SecurityIntelligenceLimor Kessem
@online{kessem:20170126:around:eaefc0c, author = {Limor Kessem}, title = {{Around the World With Zeus Sphinx: From Canada to Australia and Back}}, date = {2017-01-26}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/}, language = {English}, urldate = {2020-01-07} } Around the World With Zeus Sphinx: From Canada to Australia and Back
Zloader
2017-01-26 ⋅ MalwarebytesMalwarebytes Labs
@online{labs:20170126:zbot:b625eef, author = {Malwarebytes Labs}, title = {{Zbot with legitimate applications on board}}, date = {2017-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/}, language = {English}, urldate = {2019-12-20} } Zbot with legitimate applications on board
Zloader
2016-09-22 ⋅ ForcepointNicholas Griffin
@online{griffin:20160922:zeus:94d0df7, author = {Nicholas Griffin}, title = {{Zeus Delivered by DELoader to Defraud Customers of Canadian Banks}}, date = {2016-09-22}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks}, language = {English}, urldate = {2020-01-13} } Zeus Delivered by DELoader to Defraud Customers of Canadian Banks
Zloader
2016-06-21 ⋅ FortinetFloser Bacurio, Roland Dela Paz
@online{bacurio:20160621:curious:8607f46, author = {Floser Bacurio and Roland Dela Paz}, title = {{The Curious Case of an Unknown Trojan Targeting German-Speaking Users}}, date = {2016-06-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html}, language = {English}, urldate = {2020-01-08} } The Curious Case of an Unknown Trojan Targeting German-Speaking Users
Zloader
Yara Rules
[TLP:WHITE] win_zloader_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_zloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { ff742410 ff742410 6a00 e8???????? 83c414 c3 56 }
            // n = 7, score = 500
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   6a00                 | push                0
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_1 = { 6aff 50 e8???????? 8d857cffffff 50 }
            // n = 5, score = 500
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d857cffffff         | lea                 eax, [ebp - 0x84]
            //   50                   | push                eax

        $sequence_2 = { e8???????? 6a40 6800300000 50 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   6a40                 | push                0x40
            //   6800300000           | push                0x3000
            //   50                   | push                eax

        $sequence_3 = { 89542444 e8???????? 03c0 6689442438 }
            // n = 4, score = 500
            //   89542444             | mov                 dword ptr [esp + 0x44], edx
            //   e8????????           |                     
            //   03c0                 | add                 eax, eax
            //   6689442438           | mov                 word ptr [esp + 0x38], ax

        $sequence_4 = { 03c0 6689442438 8b442438 83c002 }
            // n = 4, score = 500
            //   03c0                 | add                 eax, eax
            //   6689442438           | mov                 word ptr [esp + 0x38], ax
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   83c002               | add                 eax, 2

        $sequence_5 = { 8d442418 99 52 50 8d44243c }
            // n = 5, score = 500
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   99                   | cdq                 
            //   52                   | push                edx
            //   50                   | push                eax
            //   8d44243c             | lea                 eax, [esp + 0x3c]

        $sequence_6 = { 8bc3 5b c3 8b44240c 83f8ff }
            // n = 5, score = 500
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   83f8ff               | cmp                 eax, -1

        $sequence_7 = { 5e c9 c3 55 8bec 81ec1c010000 56 }
            // n = 7, score = 500
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec1c010000         | sub                 esp, 0x11c
            //   56                   | push                esi

        $sequence_8 = { 83c414 c3 56 ff742410 8b74240c ff742410 }
            // n = 6, score = 500
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   56                   | push                esi
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   8b74240c             | mov                 esi, dword ptr [esp + 0xc]
            //   ff742410             | push                dword ptr [esp + 0x10]

        $sequence_9 = { 50 8d44243c 99 52 }
            // n = 4, score = 500
            //   50                   | push                eax
            //   8d44243c             | lea                 eax, [esp + 0x3c]
            //   99                   | cdq                 
            //   52                   | push                edx

        $sequence_10 = { c6043000 5e c3 56 }
            // n = 4, score = 400
            //   c6043000             | mov                 byte ptr [eax + esi], 0
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_11 = { e8???????? 83c414 c3 8b542404 85d2 7503 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   85d2                 | test                edx, edx
            //   7503                 | jne                 5

        $sequence_12 = { 81ec54060000 e8???????? 8b400c 8b4014 8945d0 }
            // n = 5, score = 300
            //   81ec54060000         | sub                 esp, 0x654
            //   e8????????           |                     
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   8b4014               | mov                 eax, dword ptr [eax + 0x14]
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax

        $sequence_13 = { d1e9 894dd8 8b45ec 85c1 0f95c0 }
            // n = 5, score = 300
            //   d1e9                 | shr                 ecx, 1
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   85c1                 | test                ecx, eax
            //   0f95c0               | setne               al

        $sequence_14 = { 89e5 53 57 56 81ec54060000 e8???????? }
            // n = 6, score = 300
            //   89e5                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   81ec54060000         | sub                 esp, 0x654
            //   e8????????           |                     

        $sequence_15 = { 8945c4 8b4580 8945c8 8b45c4 8b4dc8 8901 8b45c4 }
            // n = 7, score = 300
            //   8945c4               | mov                 dword ptr [ebp - 0x3c], eax
            //   8b4580               | mov                 eax, dword ptr [ebp - 0x80]
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   8b45c4               | mov                 eax, dword ptr [ebp - 0x3c]
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b45c4               | mov                 eax, dword ptr [ebp - 0x3c]

        $sequence_16 = { c7460488130000 c7462401000000 c7462800004001 e8???????? 89460c }
            // n = 5, score = 300
            //   c7460488130000       | mov                 dword ptr [esi + 4], 0x1388
            //   c7462401000000       | mov                 dword ptr [esi + 0x24], 1
            //   c7462800004001       | mov                 dword ptr [esi + 0x28], 0x1400000
            //   e8????????           |                     
            //   89460c               | mov                 dword ptr [esi + 0xc], eax

        $sequence_17 = { 8b4de8 8b4904 8b5744 8b45ec }
            // n = 4, score = 300
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   8b4904               | mov                 ecx, dword ptr [ecx + 4]
            //   8b5744               | mov                 edx, dword ptr [edi + 0x44]
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]

        $sequence_18 = { 83ec18 89d6 89cf 8d0476 8945ec 890424 }
            // n = 6, score = 300
            //   83ec18               | sub                 esp, 0x18
            //   89d6                 | mov                 esi, edx
            //   89cf                 | mov                 edi, ecx
            //   8d0476               | lea                 eax, [esi + esi*2]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_19 = { 5b c3 8bc2 ebf7 8d442410 }
            // n = 5, score = 200
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8bc2                 | mov                 eax, edx
            //   ebf7                 | jmp                 0xfffffff9
            //   8d442410             | lea                 eax, [esp + 0x10]

        $sequence_20 = { ebf7 8d442410 50 ff742410 }
            // n = 4, score = 200
            //   ebf7                 | jmp                 0xfffffff9
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   50                   | push                eax
            //   ff742410             | push                dword ptr [esp + 0x10]

        $sequence_21 = { 50 6a72 e8???????? 59 }
            // n = 4, score = 200
            //   50                   | push                eax
            //   6a72                 | push                0x72
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_22 = { c3 8bc2 ebf8 53 8b5c240c 55 }
            // n = 6, score = 200
            //   c3                   | ret                 
            //   8bc2                 | mov                 eax, edx
            //   ebf8                 | jmp                 0xfffffffa
            //   53                   | push                ebx
            //   8b5c240c             | mov                 ebx, dword ptr [esp + 0xc]
            //   55                   | push                ebp

        $sequence_23 = { 4e 75ee 89048d908f0900 41 81f900010000 }
            // n = 5, score = 100
            //   4e                   | dec                 esi
            //   75ee                 | jne                 0xfffffff0
            //   89048d908f0900       | mov                 dword ptr [ecx*4 + 0x98f90], eax
            //   41                   | inc                 ecx
            //   81f900010000         | cmp                 ecx, 0x100

        $sequence_24 = { e8???????? 68f4600900 56 e8???????? 8bf0 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   68f4600900           | push                0x960f4
            //   56                   | push                esi
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_25 = { 8d442464 50 ff742428 ff742428 }
            // n = 4, score = 100
            //   8d442464             | lea                 eax, [esp + 0x64]
            //   50                   | push                eax
            //   ff742428             | push                dword ptr [esp + 0x28]
            //   ff742428             | push                dword ptr [esp + 0x28]

        $sequence_26 = { 55 8bec 81ec04040000 53 56 68806e0900 }
            // n = 6, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec04040000         | sub                 esp, 0x404
            //   53                   | push                ebx
            //   56                   | push                esi
            //   68806e0900           | push                0x96e80

        $sequence_27 = { 83e001 d1e9 330c8500850900 330d???????? 890d???????? 8b0cb5c0850900 }
            // n = 6, score = 100
            //   83e001               | and                 eax, 1
            //   d1e9                 | shr                 ecx, 1
            //   330c8500850900       | xor                 ecx, dword ptr [eax*4 + 0x98500]
            //   330d????????         |                     
            //   890d????????         |                     
            //   8b0cb5c0850900       | mov                 ecx, dword ptr [esi*4 + 0x985c0]

        $sequence_28 = { 7334 8b04f51c610900 0fb7d7 660fbe0c10 0fb604f518610900 6633c8 }
            // n = 6, score = 100
            //   7334                 | jae                 0x36
            //   8b04f51c610900       | mov                 eax, dword ptr [esi*8 + 0x9611c]
            //   0fb7d7               | movzx               edx, di
            //   660fbe0c10           | movsx               cx, byte ptr [eax + edx]
            //   0fb604f518610900     | movzx               eax, byte ptr [esi*8 + 0x96118]
            //   6633c8               | xor                 cx, ax

        $sequence_29 = { f644242c01 55 50 6808850900 ff74242c b9686e0900 68546e0900 }
            // n = 7, score = 100
            //   f644242c01           | test                byte ptr [esp + 0x2c], 1
            //   55                   | push                ebp
            //   50                   | push                eax
            //   6808850900           | push                0x98508
            //   ff74242c             | push                dword ptr [esp + 0x2c]
            //   b9686e0900           | mov                 ecx, 0x96e68
            //   68546e0900           | push                0x96e54

        $sequence_30 = { 8d4580 50 8d8578fdffff 50 68fc600900 6804010000 ff7508 }
            // n = 7, score = 100
            //   8d4580               | lea                 eax, [ebp - 0x80]
            //   50                   | push                eax
            //   8d8578fdffff         | lea                 eax, [ebp - 0x288]
            //   50                   | push                eax
            //   68fc600900           | push                0x960fc
            //   6804010000           | push                0x104
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_31 = { bbffffff7f 8b0c95c4850900 330c95c0850900 23cb 330c95c0850900 }
            // n = 5, score = 100
            //   bbffffff7f           | mov                 ebx, 0x7fffffff
            //   8b0c95c4850900       | mov                 ecx, dword ptr [edx*4 + 0x985c4]
            //   330c95c0850900       | xor                 ecx, dword ptr [edx*4 + 0x985c0]
            //   23cb                 | and                 ecx, ebx
            //   330c95c0850900       | xor                 ecx, dword ptr [edx*4 + 0x985c0]

    condition:
        7 of them
}
Download all Yara Rules