Mlw #41: a new sophisticated loader by APT group TA505

TA505 is a sophisticated cybergang known for the Dridex, ServHelper and FlawedGrace malware families, among others. The group targets major companies in finance, industry, and transportation, as well as government, predominantly in Asia and Europe. The attackers stand out for their rich arsenal and constant evolution: they continue to modify existing tools and create new ones.

The key to their success is making a persistent implant that is difficult to detect. The group’s use of best practices for writing malicious code not only complicates the analysis of malware, but makes it difficult to create effective countermeasures.

In this talk, we will go into detail about the malicious group’s new loader. We’ll tell why the KUSER_SHARED_DATA structure is used, how kernel functions are called in a way that bypasses standard methods, creation of on-the-fly JScript and PowerShell scripts from components, plus techniques for intercepting functions and performing process injection with a ROP gadget. Topics will include the persistence methods used, how storage of the malware’s configuration data works, as well as stealthy network interaction with the C&C server via DNS tunneling using the uncommon X25 query type.

About the Speaker