ZLoader aka Terdot, DELoader

May 8, 2020

Overview:

SonicWall Capture Labs Threat Research Team has observed and trapped activity for the malware family called "Zeus Sphinx" banking Trojan. Sphinx, goes by many other names; as in ZLoader, Terdot, or DELoader. ZLoader, has resurfaced to take advantage of government relief payments amid COVID-19.

Samples: 3rd Layer, Static Information:

Looking at the third layer in CFF Explorer, checking for corruption. The third layer is a Win32 binary.

Command-Line Static Information:

Unpacking The Sample:

  • 1) The samples strings are highly encrypted and obfuscated. You will need to create your own "IDC" or "Python" plugin inside IDA Pro to decrypt them dynamically.
  • 2) API calls are hidden by dynamically resolving them using function hashes. IDA Pro's script manual will help you evaluate routines that resolve to Microsoft's API names.
  • 3) Constant unfolding, dead code insertion and arithmetic substitution via identities.
  • 4) Once the strings are decrypted, the decryption call for string ".com" leads to the DGA routine or you can use your own technique to find it. There is always more than one way to do this step.
  • 5) Understanding the pseudo-random number generator will require you to manually define logical equivalences of small snippets of it's algorithm for seed generation.
  • The live session below is from Ida Pro, showing Kernel32.dll string decryption:

    The strings below are from the thirty-eight calls to decrypt_string:

    In order to locate the DGA Algorithm, you will have to decrypt all 38 calls to "decrypt_string", this is why automation is your friend in unpacking this sample.

Seeds:

Seed values used with DGA are as follows: q23Cud3xsNf3, 41997b4a729e1a0175208305170752dd, kZieCw23gffpe43Sd

Domains:

May 08th, 2020, Generated Domain Names:
hctvtocmttbwhpckcjcc.com
aosinfmwfnymlyerbtgk.com
njdnlnmhxwgtqakbeasg.com
lpnueaooqsytsshlbgxn.com
kbebomcngxvckfoudhct.com
yixydgdeovjpgcgbsqxp.com
ntvtwjeedakwwmcexrlj.com
hrihpfdvmhqerbafkucc.com
bnqupgrocpuiouglqqkl.com
irggjkpjmroxljusesjn.com
haymnndsysmtqnjmytsg.com
hlbhbxktyyjrlmixyhwu.com
nevlrqyolqqbqsijrmus.com
hlbdtbxkjvayignolnyi.com
vwcpuyxgvsklhvvlbdtx.com
wfnvuukycdmtaqpxoajk.com
plrpboptbgcyqbqrbsdt.com
koibanoohdjhriuohlbg.com
xvcakbeasgildijbykit.com
junbhxtwqgqcymafwuby.com
jvaxixayhwqnvhrhfijo.com
hckixydsdgcuywdoyopt.com
bgoasrnoptjolgsegewn.com
jcbnrtncovjsywhsyspc.com
cqhdwqnvhnbhxtnyfred.com
qwqxpmihnqevogytstgj.com
nqqwmweecoonfukmtbtg.com
nreumcipiatuuxxekwer.com
bqsmbfvflwsuglpnuirj.com
uqsdhfccnswutkwqkqkh.com
uvjyewrmlmmfvemllajb.com
ykitvkfrehhnuewnjywa.com

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

Summary:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Zloader.A (Trojan)

Appendix:

Sample Hash: 4029f9fcba1c53d86f2c59f07d5657930bd5ee64cca4c5929cbd3142484e815a