Madmax DGA Targeted Trojan Variant

September 7, 2019

Overview:

SonicWall Capture Labs Threat Research Team recently found activity for MadMax in the month of September. MadMax is a targeted trojan, it produces one alphanumeric, 10 character long DGA generated domain per week. The domain is prefixed with (www) and suffixed with a weekly rotating TLD (Top Level Domain). The TLDs are selected from (com, net, info, org) respectively. The sample uses (FPC) Free Pascal Compiler 3.0.4 [2018/02/25] for i386 – Win32. The malware author for this sample uses anti debugging techniques that are hard to bypass. One of the techniques, the TLS mechanism is explained below.

Sample Static Information:

Traversing TLS:

Thread Local Storage (TLS) is a mechanism that allows Microsoft to define data objects local to each individual thread. The TLS directory is a part of the PE header of an executable image which describes to the loader how the image’s thread local variables are to be managed. The structure of this object is as follows:

Defining TLS callback functions allows Windows to execute the functions listed before executing the main routine. We can locate the TLS structure with PEiD:

We can list the following callbacks in Ida Pro with Control-E:

TLS_Callback_0 will be called first before the main starting routine is called. We can see the obfuscated callback here:

The first call to sub_414DDE is an xor decryption routine:

Lets watch a small video on what it decrypts:

It decrypts the Import Table.

DNS Network Intelligence:

The regular expression to catch the domain names is as follows: (www\.){0,1}[a-z0-9]{10}\.(com|org|info|net)$

Countries Observed Connecting to MadMax’s Domains Worldwide:

  • Brazil
  • Canada
  • China
  • Finland
  • France
  • Germany
  • India
  • Italy
  • Japan
  • Korea
  • Norway
  • Taiwan
  • Thailand
  • Ukraine
  • UK
  • US

Active Generated Domain This Week:

MadMax determines its TLD from the number of weeks in a month:

  • Week 1: .com
  • Week 2: .org
  • Week 3: .info
  • Week 4: .net

September, Week 1:

www.tttkusrteg.com 2019-09-01 00:00:00 2019-09-07 23:59:59

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: MadMax.DGA