A brand new Google malvertising marketing campaign is leveraging a cluster of domains mimicking a reliable IP scanner software program to ship a beforehand unknown backdoor dubbed MadMxShell.
“The risk actor registered a number of look-alike domains utilizing a typosquatting method and leveraged Google Advertisements to push these domains to the highest of search engine outcomes concentrating on particular search key phrases, thereby luring victims to go to these websites,” Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh mentioned.
As many as 45 domains are mentioned to have been registered between November 2023 and March 2024, with the websites masquerading as port scanning and IT administration software program akin to Superior IP Scanner, Indignant IP Scanner, IP scanner PRTG, and ManageEngine.
Whereas this isn’t the primary time risk actors are banking on malvertising strategies to serve malware through lookalike websites, the event marks the primary time the supply car is getting used to propagate a complicated Home windows backdoor.
Thus, customers who find yourself looking for such instruments are displayed bogus websites that embrace JavaScript code designed to obtain a malicious file (“Superior-ip-scanner.zip”) upon clicking the obtain button.
Current throughout the ZIP archive is a DLL file (“IVIEWERS.dll”) and an executable (“Superior-ip-scanner.exe”), the latter of which makes use of DLL side-loading to load the DLL and activate the an infection sequence.
The DLL file is answerable for injecting the shellcode into the “Superior-ip-scanner.exe” course of through a way referred to as course of hollowing, following which the injected EXE file unpacks two further recordsdata β OneDrive.exe and Secur32.dll.
OneDrive.exe, a reliable signed Microsoft binary, is then abused to sideload Secur32.dll, and finally execute the shellcode backdoor, however not earlier than organising persistence on the host by way of a scheduled activity and disabling Microsoft Defender Antivirus.
The backdoor β so named for its use of DNS MX queries for command-and-control (C2) β is designed to assemble system info, run instructions through cmd.exe, and carry out primary file manipulation operations akin to studying, writing, and deleting recordsdata.
It sends requests to the C2 server (“litterbolo[.]com”) by encoding the information within the subdomain(s) of the Absolutely Certified Area Identify (FQDN) in a DNS mail alternate (MX) question packet and receives instructions encoded throughout the response packet.
“The backdoor makes use of strategies akin to a number of levels of DLL side-loading and DNS tunneling for command-and-control (C2) communication as a way to evade endpoint and community safety options, respectively,” Tay and Singh mentioned.
“As well as, the backdoor makes use of evasive strategies like anti-dumping to stop reminiscence evaluation and hinder forensics safety options.”
There may be at present no indication of the place the malware operators originate from or what their intentions are, however Zscaler mentioned it recognized two accounts created by them on legal underground boards like blackhatworld[.]com and social-eng[.]ru utilizing the e-mail deal with wh8842480@gmail[.]com, which was additionally used to register a site spoofing Superior IP Scanner.
Particularly, the risk actor has been discovered participating in posts providing methods to arrange limitless Google AdSense threshold accounts manner again in June 2023, indicating their curiosity in launching their very own long-lasting malvertising marketing campaign.
“Google Advertisements threshold accounts and strategies for abusing them are sometimes traded on BlackHat boards,” the researchers mentioned. “Many occasions they provide a manner for the risk actor so as to add as many credit as attainable to run Google Advertisements campaigns.”
“This enables the risk actors to run campaigns with out really paying till the brink restrict. A fairly excessive threshold restrict lets the risk actor run the advert marketing campaign for a big period of time.”
