Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor

18.04.2024


A recent malvertising campaign by Google has been discovered, utilizing a network of domains imitating a legitimate IP scanner software to distribute a previously unknown backdoor named MadMxShell.

Researchers from Zscaler ThreatLabz, Roy Tay, and Sudeep Singh, found that the threat actor registered several look-alike domains through typosquatting techniques and employed Google Ads to push these domains to the top of search results, targeting specific search keywords. This strategy aimed to entice victims to visit these sites, unaware of their malicious nature.

Between November 2023 and March 2024, approximately 45 domains were registered, masquerading as port scanning and IT management software like Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine.

Although malvertising techniques have been used before to serve malware through fake sites, this marks the first instance of using such a method to propagate a sophisticated Windows backdoor.

Users searching for these tools are directed to fake sites containing JavaScript code, which triggers the download of a malicious file (“Advanced-ip-scanner.zip”) upon clicking the download button.

Within the ZIP archive, there’s a DLL file (“IVIEWERS.dll”) and an executable (“Advanced-ip-scanner.exe”). The executable utilizes DLL side-loading to activate the infection sequence by loading the DLL and injecting shellcode into the process through process hollowing.

The injected EXE file then unpacks two additional files – OneDrive.exe and Secur32.dll. OneDrive.exe, a legitimate Microsoft binary, is exploited to sideload Secur32.dll, enabling the execution of the shellcode backdoor. Additionally, the malware sets up persistence on the host through a scheduled task and disables Microsoft Defender Antivirus.

Named for its use of DNS MX queries for command-and-control (C2), the backdoor collects system information, executes commands via cmd.exe, and conducts basic file manipulation operations.

It communicates with the C2 server (“litterbolo[.]com”) by encoding data in the subdomains of the Fully Qualified Domain Name (FQDN) using DNS mail exchange (MX) query packets, receiving encoded commands in response.

The backdoor employs various evasion techniques, including multiple stages of DLL side-loading and DNS tunneling for C2 communication, as well as anti-dumping to impede memory analysis and forensics security solutions.

Though the origin and intentions of the malware operators remain unknown, Zscaler identified two accounts created by them on criminal underground forums like blackhatworld[.]com and social-eng[.]ru, both linked to the email address wh8842480@gmail[.]com, which was also used to register a domain spoofing Advanced IP Scanner.

Other news

North Korea hacked South Korea chip equipment makers, Seoul says

North Korean hackers have successfully infiltrated the systems of South Korean chip equipment manufacturers, as reported by South Korea’s intelligence agency.

Read More

Patch Your GoAnywhere MFT Immediately – Critical Flaw Lets Anyone Be Admin

A critical security flaw has been disclosed in Fortra’s GoAnywhere Managed File Transfer (MFT) software that could be abused to create a new administrator user.

Read More
en_USEnglish