ZLoader aka Terdot, DELoader

Overview:

SonicWall Capture Labs Threat Research Team has observed and trapped activity for the malware family called "Zeus Sphinx" banking Trojan. Sphinx, goes by many other names; as in ZLoader, Terdot, or DELoader. ZLoader, has resurfaced to take advantage of government relief payments amid COVID-19.

Samples: 3rd Layer, Static Information:

Looking at the third layer in CFF Explorer, checking for corruption. The third layer is a Win32 binary.

Command-Line Static Information:

Unpacking The Sample:

1) The samples strings are highly encrypted and obfuscated. You will need to create your own "IDC" or "Python" plugin inside IDA Pro to decrypt them dynamically.
2) API calls are hidden by dynamically resolving them using function hashes. IDA Pro's script manual will help you evaluate routines that resolve to Microsoft's API names.
3) Constant unfolding, dead code insertion and arithmetic substitution via identities.
4) Once the strings are decrypted, the decryption call for string ".com" leads to the DGA routine or you can use your own technique to find it. There is always more than one way to do this step.
5) Understanding the pseudo-random number generator will require you to manually define logical equivalences of small snippets of it's algorithm for seed generation.

The live session below is from Ida Pro, showing Kernel32.dll string decryption:

The strings below are from the thirty-eight calls to decrypt_string:

In order to locate the DGA Algorithm, you will have to decrypt all 38 calls to "decrypt_string", this is why automation is your friend in unpacking this sample.

Seeds:

Seed values used with DGA are as follows: q23Cud3xsNf3, 41997b4a729e1a0175208305170752dd, kZieCw23gffpe43Sd

Domains:

May 08th, 2020, Generated Domain Names:
hctvtocmttbwhpckcjcc.com
aosinfmwfnymlyerbtgk.com
njdnlnmhxwgtqakbeasg.com
lpnueaooqsytsshlbgxn.com
kbebomcngxvckfoudhct.com
yixydgdeovjpgcgbsqxp.com
ntvtwjeedakwwmcexrlj.com
hrihpfdvmhqerbafkucc.com
bnqupgrocpuiouglqqkl.com
irggjkpjmroxljusesjn.com
haymnndsysmtqnjmytsg.com
hlbhbxktyyjrlmixyhwu.com
nevlrqyolqqbqsijrmus.com
hlbdtbxkjvayignolnyi.com
vwcpuyxgvsklhvvlbdtx.com
wfnvuukycdmtaqpxoajk.com
plrpboptbgcyqbqrbsdt.com
koibanoohdjhriuohlbg.com
xvcakbeasgildijbykit.com
junbhxtwqgqcymafwuby.com
jvaxixayhwqnvhrhfijo.com
hckixydsdgcuywdoyopt.com
bgoasrnoptjolgsegewn.com
jcbnrtncovjsywhsyspc.com
cqhdwqnvhnbhxtnyfred.com
qwqxpmihnqevogytstgj.com
nqqwmweecoonfukmtbtg.com
nreumcipiatuuxxekwer.com
bqsmbfvflwsuglpnuirj.com
uqsdhfccnswutkwqkqkh.com
uvjyewrmlmmfvemllajb.com
ykitvkfrehhnuewnjywa.com

Supported Systems:

Windows 10
Windows 8.1
Windows 8.0
Windows 7
Windows Vista

Summary:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

GAV: Zloader.A (Trojan)

Appendix:

Sample Hash: 4029f9fcba1c53d86f2c59f07d5657930bd5ee64cca4c5929cbd3142484e815a

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.