Roboto Condensed Social Engineering Scheme Delivers DELoader (aka Terdot or ZLoader).

My first post on the Roboto Condensed social engineering scheme can be seen HERE. BleepingComputer.com also wrote an article on this, which can be seen HERE.

The page presented to both Chrome and Firefox users:

Looking at the page source shows a different .ZIP file for Chrome and Firefox users:

Firefox source EDITED

Chrome users download “Chrome_Font.zip”, which is being hosted on a hacked website called ithacafirst.org (resolves to 205.251.94.116).

Chrome JScript file

Chrome_Font.zip contains “Chrome_Font.js”. Pastebin of Chrome_Font.js.

Firefox users download “Mozilla_Font.zip”, which is being hosted on a hacked website called karisandsazii.com (resolves to 198.54.116.36).

Mozilla Font JScript file

Mozilla_Font.zip contains “Mozilla_Font.js”. Pastebin of Mozilla_Font.js.

Executing both JScript downloaders resulted in GET requests for the same file, “Font-update09042017-criticalfix.exe”, which is being hosted on a hacked website called intralynx.net (resolves to 198.54.126.10).

GET for executable

The malware payload being downloaded by the malicious JScript files is DELoader (aka Terdot). Thanks to @Antelox for identifying the sample! According to Forcepoint, “DELoader seems to be solely used to distribute a specific variant of the Zeus banking trojan.”

https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks

Something to note, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) was the User-Agent string used during the GET request.

TCP event captured during the GET request:

Remote Address : 198.54.126.10
Remote Host Name : host56.registrar-servers.com
Remote Port : 80
Process Name : WScript.exe
Process Path : C:\Windows\System32\WScript.exe

WScript.exe is used to create the file in C:\Users\[username]\AppData\Roaming\[malware payload].exe.

I found DNS queries for chinaandkoreacriminalaffairs.kz, which resolved to 185.82.200.159. This is followed by connections to that host via TCP port 443:

chinaandkoreacriminalaffairs.kz traffic

TCP event captured during the connections 185.82.200.159:

Remote Address : 185.82.200.159
Remote Port : 443
Process Name : explorer.exe
Process Path : C:\Windows\explorer.exe

This is followed by a GET request for checkip.dyndns.com, which returns the external IP address of the infected host:

IP check
The GET request for the IP check is also using the same User-Agent string as the GET request for the payload.

TCP event captured during the GET request for the IP/connectivity check:

Remote Address : 216.146.43.70
Remote Host Name : checkip.dyndns.com
Remote Port : 80
Process Name : msiexec.exe
Process Path : C:\Windows\system32\msiexec.exe

The DNS query and GET request for checkip.dyndns.com triggered the following ET rules:

  • ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
  • ET POLICY External IP Lookup
  • ET TROJAN Zeus Bot Connectivity Check

A copy of the malware is created in a new folder located in %AppData%. Later we see the initial malware payload being deleted from %AppData%.

start.lnk is created, for persistence, in “C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\”:

Tor.exe is downloaded and dropped in “C:\Users\[username]\AppData\Roaming\”.

Below are some TCP connections found after Tor.exe was executed:

Remote Address : 188.165.194.195
Remote Host Name : ns3096483.ip-188-165-194.eu
Remote Port : 9001
Process Name : tor.exe
Process Path : C:\Users\[username]\AppData\Roaming\tor.exe

Remote Address : 144.76.26.175
Remote Host Name : liz.dereferenced.net
Remote Port : 9011
Process Name : tor.exe
Process Path : C:\Users\[username]\AppData\Roaming\tor.exe

Remote Address : 209.141.35.232
Remote Host Name : node2930.dynamic.netjdn.com
Remote Port : 9001
Process Name : tor.exe
Process Path : C:\Users\[username]\AppData\Roaming\tor.exe

Remote Address : 91.221.66.21
Remote Host Name : mxs1.creanova.org
Remote Port : 444
Process Name : tor.exe
Process Path : C:\Users\[username]\AppData\Roaming\tor.exe

Remote Address : 62.210.244.146
Remote Host Name : regar42.fr
Remote Port : 9001
Process Name : tor.exe
Process Path : C:\Users\[username]\AppData\Roaming\tor.exe

Remote Address : 78.47.18.110
Remote Host Name : tor.sebastianhahn.net
Remote Port : 80
Process Name : tor.exe
Process Path : C:\Users\[username]\AppData\Roaming\tor.exe

Remote Address : 82.223.21.74
Remote Host Name : rocket.plastic-spoon.de
Remote Port : 9001
Process Name : tor.exe
Process Path : C:\Users\[username]\AppData\Roaming\tor.exe

Remote Address : 141.255.161.167
Remote Host Name : gorgeoustransit.com
Remote Port : 443
Process Name : tor.exe
Process Path : C:\Users\[username]\AppData\Roaming\tor.exe

Remote Address : 79.137.33.131
Remote Host Name : n6.servbr.net
Remote Port : 443
Process Name : tor.exe
Process Path : C:\Users\[username]\AppData\Roaming\tor.exe

Remote Address : 176.10.107.180
Remote Host Name : torexit.schokomil.ch
Remote Port : 9001
Process Name : tor.exe
Process Path : C:\Users\[username]\AppData\Roaming\tor.exe

Below are images of some files created in %Temp% and %AppData%:

Certutil.exe is downloaded and dropped in %Temp%, along with along with dependencies (legitimate DLLs) and .crt files:

The certificate is installed with the help of the certutil and is used for Man-in-the-Broswer attacks.

BoA MiTB attack on Internet Explorer:

IE MITM

Chase bank MiTB attack on Firefox:

MITM Firefox

Read more about the MiTB attack at https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/

Hashes:

SHA256: c9c738f58a8f0fde37edea09342e1378e110cfca73ee9244bb065539632ce484
File name: Mozilla_Font.js

SHA256: 1dd41148e5b86cac94363e97b08186ace1a796658101b59a090a763d442ad2a2
File name: Chrome_Font.js

SHA256: ec2f39ba3e4ebcf5af07aa49127a814a06b58d509a0324df6215e7aa3e99af87
File name: Sample.exe
Hybrid-Analysis Report
Malwr Report

Downloads:

Malicious Artifacts.zip
Password is “infected”

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: