A recent malvertising campaign by Google has been discovered, utilizing a network of domains imitating a legitimate IP scanner software to distribute a previously unknown backdoor named MadMxShell.
Researchers from Zscaler ThreatLabz, Roy Tay, and Sudeep Singh, found that the threat actor registered several look-alike domains through typosquatting techniques and employed Google Ads to push these domains to the top of search results, targeting specific search keywords. This strategy aimed to entice victims to visit these sites, unaware of their malicious nature.
Between November 2023 and March 2024, approximately 45 domains were registered, masquerading as port scanning and IT management software like Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine.
Although malvertising techniques have been used before to serve malware through fake sites, this marks the first instance of using such a method to propagate a sophisticated Windows backdoor.
Users searching for these tools are directed to fake sites containing JavaScript code, which triggers the download of a malicious file (“Advanced-ip-scanner.zip”) upon clicking the download button.
Within the ZIP archive, there’s a DLL file (“IVIEWERS.dll”) and an executable (“Advanced-ip-scanner.exe”). The executable utilizes DLL side-loading to activate the infection sequence by loading the DLL and injecting shellcode into the process through process hollowing.
The injected EXE file then unpacks two additional files – OneDrive.exe and Secur32.dll. OneDrive.exe, a legitimate Microsoft binary, is exploited to sideload Secur32.dll, enabling the execution of the shellcode backdoor. Additionally, the malware sets up persistence on the host through a scheduled task and disables Microsoft Defender Antivirus.
Named for its use of DNS MX queries for command-and-control (C2), the backdoor collects system information, executes commands via cmd.exe, and conducts basic file manipulation operations.
It communicates with the C2 server (“litterbolo[.]com”) by encoding data in the subdomains of the Fully Qualified Domain Name (FQDN) using DNS mail exchange (MX) query packets, receiving encoded commands in response.
The backdoor employs various evasion techniques, including multiple stages of DLL side-loading and DNS tunneling for C2 communication, as well as anti-dumping to impede memory analysis and forensics security solutions.
Though the origin and intentions of the malware operators remain unknown, Zscaler identified two accounts created by them on criminal underground forums like blackhatworld[.]com and social-eng[.]ru, both linked to the email address wh8842480@gmail[.]com, which was also used to register a domain spoofing Advanced IP Scanner.
40-year-old Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the TrickBot malware, the U.S. Department of Justice (DoJ) said.
Read More
U.S. President Joe Biden recently issued an Executive Order aimed at prohibiting the mass transfer of citizens’ personal data to countries identified as potential concerns. The White House emphasized that the Executive Order introduces safeguards around various activities that might grant these countries access to sensitive American data.
Read More
English 
Turkish