A New Sophisticated Loader by APT Group TA505

Dive into a detailed analysis of a sophisticated new loader developed by the APT group TA505 in this 46-minute conference talk from NULLCON Goa 2020. Explore the advanced techniques employed by this cybergang, known for malware families like Dridex, ServHelper, and FlawedGrace. Discover how TA505 targets major companies and government entities, primarily in Asia and Europe, across finance, industry, and transportation sectors. Learn about their evolving arsenal, including the use of the KUSER_SHARED_DATA structure, unconventional methods for calling kernel functions, and the creation of on-the-fly JScript and PowerShell scripts. Examine their innovative approaches to function interception, process injection using ROP gadgets, and stealthy network communication via DNS tunneling with the uncommon X25 query type. Gain insights into persistence methods, configuration data storage, and the challenges these sophisticated techniques pose for malware analysis and countermeasure development.

Mlw #41: a new sophisticated loader by APT group TA505 | Alexey Vishnyakov | NULLCON Goa 2020