Overview:
SonicWall Capture Labs Threat Research Team recently found activity for MadMax in the month of September. MadMax is a targeted trojan, it produces one alphanumeric, 10 character long DGA generated domain per week. The domain is prefixed with (www) and suffixed with a weekly rotating TLD (Top Level Domain). The TLDs are selected from (com, net, info, org) respectively. The sample uses (FPC) Free Pascal Compiler 3.0.4 [2018/02/25] for i386 – Win32. The malware author for this sample uses anti debugging techniques that are hard to bypass. One of the techniques, the TLS mechanism is explained below.
Sample Static Information:
Traversing TLS:
Thread Local Storage (TLS) is a mechanism that allows Microsoft to define data objects local to each individual thread. The TLS directory is a part of the PE header of an executable image which describes to the loader how the image’s thread local variables are to be managed. The structure of this object is as follows:
Defining TLS callback functions allows Windows to execute the functions listed before executing the main routine. We can locate the TLS structure with PEiD:
We can list the following callbacks in Ida Pro with Control-E:
TLS_Callback_0 will be called first before the main starting routine is called. We can see the obfuscated callback here:
The first call to sub_414DDE is an xor decryption routine:
Lets watch a small video on what it decrypts:
It decrypts the Import Table.
DNS Network Intelligence:
The regular expression to catch the domain names is as follows: (www\.){0,1}[a-z0-9]{10}\.(com|org|info|net)$
Countries Observed Connecting to MadMax’s Domains Worldwide:
Active Generated Domain This Week:
MadMax determines its TLD from the number of weeks in a month:
September, Week 1:
www.tttkusrteg.com 2019-09-01 00:00:00 2019-09-07 23:59:59
SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:
SONICWALL SSL-VPN SMA100 version 10.X is affected by multiple vulnerabilities Overview CVE-2023-44221: Post Authentication OS Command Injection Vulnerability (CVSS Score: 7.2) Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege...
With millions of stolen credentials currently up for sale, the time for stronger authentication is now. In “Star Trek: The Next Generation,” Jean-Luc Picard famously said, “It is possible to commit no mistakes and still lose.” This applies to many...
A solid password is instrumental to keeping your important accounts and information safeguarded. October is typically associated with pumpkin spice lattes, college football, crunching leaves underfoot and ghostly fun, but did you know it’s also Cybersecurity Awareness Month? This is...
Designed for home offices and lean branches, the TZ270 series deliver industry-validated security effectiveness with best-in-class price-performanc...
View full detailsThe SonicWall TZ570 series, is the first desktop-form factor next-generation firewall (NGFW) with 5 Gigabit Ethernet interfaces. Designed for mid...
View full detailsDesigned for small organizations and distributed enterprise with SD-Branch locations, the TZ470 series deliver industry-validated security effectiv...
View full detailsDesigned for small organizations and lean branches, the TZ370 series deliver industry-validated security effectiveness with best-in-class price-per...
View full detailsThe SonicWall TZ670 series, is the first desktop-form factor next-generation firewall (NGFW) with 10 Gigabit Ethernet interfaces. Designed for mi...
View full details
