- CXO Track
- For You
- Horror Stories from Hacker World
- Resume Clinic
- Goa 2020
- Alexey Vishnyakov
Mlw #41: a new sophisticated loader by APT group TA505
TA505 is a sophisticated cybergang known for the Dridex, ServHelper and FlawedGrace malware families, among others. The group targets major companies in finance, industry, and transportation, as well as government, predominantly in Asia and Europe. The attackers stand out for their rich arsenal and constant evolution: they continue to modify existing tools and create new ones.
The key to their success is making a persistent implant that is difficult to detect. The group's use of best practices for writing malicious code not only complicates the analysis of malware but makes it difficult to create effective countermeasures.
In this talk, we will go into detail about the malicious group's new loader. We'll tell why the KUSER_SHARED_DATA structure is used, how kernel functions are called in a way that bypasses standard methods, creation of on-the-fly JScript and PowerShell scripts from components, plus techniques for intercepting functions and performing process injection with a ROP gadget. Topics will include the persistence methods used, how the storage of the malware's configuration data works, as well as stealthy network interaction with the C&C server via DNS tunneling using the uncommon X25 query type.
Alexey Vishnyakov is a Senior Specialist in the Threats Analysis Group, a department of the Expert Security Center at Positive Technologies. Before specializing in cybersecurity, Alexey graduated from MEPHI in 2015 with a degree in mathematics, system programmer. His previous roles in the industry include working as a network analyst at Security Code and a malware analyst at Kaspersky. Throughout his career, Alexey has investigated large numbers of malicious files and actors. In addition, he has considerable experience with network traffic analysis, as well as creating rules for Snort and Suricata IDS. In his current role at Positive echnologies, his main duties consist of tracking and analyzing existing APT groups, not to mention identifying new ones. Outside of his role as Senior Specialist, Alexey is also a regular speaker at PHDays and AVAR security conferences.