Under Attack? Call (844) END.DDoS

The Mad Max DGA

Jeff Edwards

This post describes a domain generation algorithm (DGA) used by the “Mad Max” malware family. Mad Max is a targeted trojan, and we plan to post a follow-up article that documents our findings regarding the features of the Mad Max malware itself. But for now we will focus on the reversing of its DGA, since we were unable to find any other published research on this topic.

The reference sample we focus on has MD5 hash c7d1357f4c4acceb1780db12ad1b4de1. It first came to our attention because it triggered an ETPro signature alert for “APT.MADMAX” while passing through our sandboxing automation. We could find very little published research on this threat, other than one analysis report from Sophos [1]. This was perhaps due to the preponderance of web search hits related to the famous Mel Gibson movie of the same name:

madmax

The sample has pretty generic detections on Virus Total. We intend to post further details on the malware’s features, installation life cycle, etc. in a follow-up article, but for now suffice it to stay that the original sample drops several DLLs onto the infectee, which are then executed via rundll32.exe. During the reversing of Mad Max’s DGA, the dropped DLL that we spent the most time with weighed 1,561,600 bytes and had MD5 hash of 43538f5fb75003cbea84c9216e12c94a. It was dropped into C:\Users\Admin\AppData\Local\Temp as c_375EF.tmp.

Code De-Obfuscation

One of the obstacles presented by this malware is that its code is heavily obfuscated; small sequences of one or more “real” malcode instructions are buried amidst a much larger amount of dummy instructions. Figure 1 shows a representative example – only the five instructions colored yellow are substantive (“real”); the surrounding instructions exist purely for obfuscation purposes.

The Lizard Brain of LizardStresser

Matthew Bing

LizardStresser is a botnet originally written by the infamous Lizard Squad DDoS group. The source code was released publicly in early 2015, an act that encouraged aspiring DDoS actors to build their own botnets. Arbor Networks’ ASERT group has been tracking LizardStresser activity and observed two disturbing trends: The number of unique LizardStresser command-and-control (C2) […]

Communications of the Bolek Trojan

Dennis Schwarz

A few weeks ago CERT Polska released a short blog post introducing a new malware family now known as Bolek. PhishMe and Dr.Web have since added some additional insight into the family. Browsing through a memory dump of the malware, a Webinjects section sticks out. Webinjects usually imply banking malware, so it seems Bolek picks […]

New Poison Ivy Activity Targeting Myanmar, Asian Countries

The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a number of Asian countries for various purposes over the past year. Palo Alto Networks’ Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists […]

The Four Element Sword Engagement

Curt Wilson

Ongoing APT activity against Tibetans, Hong Kong and Taiwanese interests In “The Four Element Sword Engagement (Full Report)”, Arbor ASERT reveals recent ongoing APT activity likely associated with long-running threat campaigns against Tibetans, Hong Kong, Taiwanese interests and human rights workers. We presume the existence of associated malcode, dubbed the Four Element Sword Builder, which […]

Alpha Testing the AlphaLeon HTTP Bot

Dennis Schwarz

ASERT was initially alerted about an emerging threat called AlphaLeon by Deep & Dark Web intelligence provider Flashpoint in August 2015. It caught and kept our interest because it sounded like it could be a new “banker” malware family. While it took some time to find samples of the malware in the wild, this post […]

Estimating the Revenue of a Russian DDoS Booter

Dennis Schwarz

At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS […]

Dumping Core: Analytical Findings on Trojan.Corebot

ASERT team

Download the full report here. The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is […]

The Big Bong Theory: Conjectures on a Korean Banking Trojan

ASERT team

Download the full report here. ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based […]

Uncovering the Seven Pointed Dagger

ASERT team

The full report “Uncovering the Seven Pointed Dagger: Discovery of the Trochilus RAT and Other Targeted Threats” can be downloaded here. Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years. Typically, these campaigns leverage spear phishing as the delivery vector and often […]