FTC Bans InMarket for Selling Precise User Location Without Consent
The U.S. Federal Trade Commission (FTC) is continuing to clamp down on data brokers by prohibiting InMarket Media from selling or licensing precise location data.
Read More
A recent malvertising campaign by Google has been discovered, utilizing a network of domains imitating a legitimate IP scanner software to distribute a previously unknown backdoor named MadMxShell.
Researchers from Zscaler ThreatLabz, Roy Tay, and Sudeep Singh, found that the threat actor registered several look-alike domains through typosquatting techniques and employed Google Ads to push these domains to the top of search results, targeting specific search keywords. This strategy aimed to entice victims to visit these sites, unaware of their malicious nature.
Between November 2023 and March 2024, approximately 45 domains were registered, masquerading as port scanning and IT management software like Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine.
Although malvertising techniques have been used before to serve malware through fake sites, this marks the first instance of using such a method to propagate a sophisticated Windows backdoor.
Users searching for these tools are directed to fake sites containing JavaScript code, which triggers the download of a malicious file (“Advanced-ip-scanner.zip”) upon clicking the download button.
Within the ZIP archive, there’s a DLL file (“IVIEWERS.dll”) and an executable (“Advanced-ip-scanner.exe”). The executable utilizes DLL side-loading to activate the infection sequence by loading the DLL and injecting shellcode into the process through process hollowing.
The injected EXE file then unpacks two additional files – OneDrive.exe and Secur32.dll. OneDrive.exe, a legitimate Microsoft binary, is exploited to sideload Secur32.dll, enabling the execution of the shellcode backdoor. Additionally, the malware sets up persistence on the host through a scheduled task and disables Microsoft Defender Antivirus.
Named for its use of DNS MX queries for command-and-control (C2), the backdoor collects system information, executes commands via cmd.exe, and conducts basic file manipulation operations.
It communicates with the C2 server (“litterbolo[.]com”) by encoding data in the subdomains of the Fully Qualified Domain Name (FQDN) using DNS mail exchange (MX) query packets, receiving encoded commands in response.
The backdoor employs various evasion techniques, including multiple stages of DLL side-loading and DNS tunneling for C2 communication, as well as anti-dumping to impede memory analysis and forensics security solutions.
Though the origin and intentions of the malware operators remain unknown, Zscaler identified two accounts created by them on criminal underground forums like blackhatworld[.]com and social-eng[.]ru, both linked to the email address wh8842480@gmail[.]com, which was also used to register a domain spoofing Advanced IP Scanner.
The U.S. Federal Trade Commission (FTC) is continuing to clamp down on data brokers by prohibiting InMarket Media from selling or licensing precise location data.
Read More
The Iranian-origin threat group known as Charming Kitten has been linked to a series of new attacks targeting Middle East policy experts. These attacks involve the use of a new backdoor named BASICSTAR, deployed through a fake webinar portal.
Read More
English 
Turkish