Mlw #41: a new sophisticated loader by APT group TA505

TA505 is a sophisticated cybergang known for the Dridex, ServHelper and FlawedGrace malware families, among others. The group targets major companies in finance, industry, and transportation, as well as government, predominantly in Asia and Europe. The attackers stand out for their rich arsenal and constant evolution: they continue to modify existing tools and create new ones.

The key to their success is making a persistent implant that is difficult to detect. The group’s use of best practices for writing malicious code not only complicates the analysis of malware, but makes it difficult to create effective countermeasures.

In this talk, we will go into detail about the malicious group’s new loader. We’ll tell why the KUSER_SHARED_DATA structure is used, how kernel functions are called in a way that bypasses standard methods, creation of on-the-fly JScript and PowerShell scripts from components, plus techniques for intercepting functions and performing process injection with a ROP gadget. Topics will include the persistence methods used, how storage of the malware’s configuration data works, as well as stealthy network interaction with the C&C server via DNS tunneling using the uncommon X25 query type.

Every year, cybercriminals release more and more malware samples. The range of quality and capabilities of trojans is expanding. The information security industry does not stand still: new solutions appear to prevent, detect, quickly respond to intrusions, in particular - to the most complex, persistent threats and targeted attacks. Of course, threat actors also keep track of new defense solutions. Studying security systems, they find new ways to perform their operations, come up with new, more complex tricks to circumvent solutions in attacks detection. As a result, once working and effective defensive measures no longer provide an adequate level of defense capability.

The problem has several solutions. One of them is a deep and painstaking study of malicious samples. It is important to extract not only light characteristic and obvious signs (for example, a class of malware, indicators of compromise, a high-level description of the purpose), but also to understand the nuances of the program. Some, at first glance, insignificant features of the work, which sometimes may seem silly, allow the trojan to go unnoticed. A detailed study will not only allow the development of measures to combat this sample, but also preventively counter similar programs that are not yet known. Of course, such an analysis process requires considerable time and human resources. In some cases, a waste of time, from the point of view of the result, may be in vain - the revealed tactics will not be something new. Therefore, it is very important to optimize a process well, to develop approaches by which time costs are minimized, and the result will be fully justified.

The result of this talk is a detailed analysis of the trojan downloader of TA505 group. Practically in each of its functions lies either a trick that complicates its detection, or a technique that significantly impedes analysis. We already know some techniques, but the combination of all of them in one copy makes it unique. Listeners have a great opportunity to get information about the most advanced malicious tricks that hackers use in advanced malware. In addition, they will become familiar with the way of thinking, which allows you to successfully deal with confusing and intentionally complicated code in the process of reverse development. For beginners and more experienced researchers, recommendations will be given on how to actually filter potentially interesting samples for in-depth analysis from the general flow, what tools are more efficient to use, what other skills and sources of information can significantly help to solve the problem.

About the Speaker