SonicWall Capture Labs Threat Research Team recently found activity for MadMax in the month of September. MadMax is a targeted trojan, it produces one alphanumeric, 10 character long DGA generated domain per week. The domain is prefixed with (www) and suffixed with a weekly rotating TLD (Top Level Domain). The TLDs are selected from (com, net, info, org) respectively. The sample uses (FPC) Free Pascal Compiler 3.0.4 [2018/02/25] for i386 – Win32. The malware author for this sample uses anti debugging techniques that are hard to bypass. One of the techniques, the TLS mechanism is explained below.
Sample Static Information:
Traversing TLS:
Thread Local Storage (TLS) is a mechanism that allows Microsoft to define data objects local to each individual thread. The TLS directory is a part of the PE header of an executable image which describes to the loader how the image’s thread local variables are to be managed. The structure of this object is as follows:
Defining TLS callback functions allows Windows to execute the functions listed before executing the main routine. We can locate the TLS structure with PEiD:
We can list the following callbacks in Ida Pro with Control-E:
TLS_Callback_0 will be called first before the main starting routine is called. We can see the obfuscated callback here:
The first call to sub_414DDE is an xor decryption routine:
Lets watch a small video on what it decrypts:
It decrypts the Import Table.
DNS Network Intelligence:
The regular expression to catch the domain names is as follows: (www\.){0,1}[a-z0-9]{10}\.(com|org|info|net)$
Countries Observed Connecting to MadMax’s Domains Worldwide:
Brazil
Canada
China
Finland
France
Germany
India
Italy
Japan
Korea
Norway
Taiwan
Thailand
Ukraine
UK
US
Active Generated Domain This Week:
MadMax determines its TLD from the number of weeks in a month:
SONICWALL SSL-VPN SMA100 version 10.X is affected by multiple vulnerabilities Overview CVE-2023-44221: Post Authentication OS Command Injection Vulnerability (CVSS Score: 7.2) Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege...
With millions of stolen credentials currently up for sale, the time for stronger authentication is now. In “Star Trek: The Next Generation,” Jean-Luc Picard famously said, “It is possible to commit no mistakes and still lose.” This applies to many...
A solid password is instrumental to keeping your important accounts and information safeguarded. October is typically associated with pumpkin spice lattes, college football, crunching leaves underfoot and ghostly fun, but did you know it’s also Cybersecurity Awareness Month? This is...