Segurança - MADMAX DGA TARGETED TROJAN VARIANT
MADMAX DGA TARGETED TROJAN VARIANT
September 7, 2019 Overview:
SonicWall Capture Labs Threat Research Team recently found activity for MadMax in the month of September. MadMax is a targeted trojan, it produces one alphanumeric, 10 character long DGA generated domain per week. The domain is prefixed with (www) and suffixed with a weekly rotating TLD (Top Level Domain). The TLDs are selected from (com, net, info, org) respectively. The sample uses (FPC) Free Pascal Compiler 3.0.4 [2018/02/25] for i386 – Win32. The malware author for this sample uses anti debugging techniques that are hard to bypass. One of the techniques, the TLS mechanism is explained below. Sample Static Information: Traversing TLS:
Thread Local Storage (TLS) is a mechanism that allows Microsoft to define data objects local to each individual thread. The TLS directory is a part of the PE header of an executable image which describes to the loader how the image’s thread local variables are to be managed. The structure of …
