A brand new Google malvertising marketing campaign is leveraging a cluster of domains mimicking a legit IP scanner software program to ship a beforehand unknown backdoor dubbed MadMxShell.
“The risk actor registered a number of look-alike domains utilizing a typosquatting method and leveraged Google Adverts to push these domains to the highest of search engine outcomes focusing on particular search key phrases, thereby luring victims to go to these websites,” Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh stated.
As many as 45 domains are stated to have been registered between November 2023 and March 2024, with the websites masquerading as port scanning and IT administration software program similar to Superior IP Scanner, Offended IP Scanner, IP scanner PRTG, and ManageEngine.
Whereas that is not the primary time risk actors are banking on malvertising strategies to serve malware by way of lookalike websites, the event marks the primary time the supply car is getting used to propagate a classy Home windows backdoor.
Thus, customers who find yourself trying to find such instruments are displayed bogus websites that embody JavaScript code designed to obtain a malicious file (“Superior-ip-scanner.zip”) upon clicking the obtain button.
Current throughout the ZIP archive is a DLL file (“IVIEWERS.dll”) and an executable (“Superior-ip-scanner.exe”), the latter of which makes use of DLL side-loading to load the DLL and activate the an infection sequence.
The DLL file is chargeable for injecting the embedded shellcode into the “Superior-ip-scanner.exe” course of by way of a method referred to as course of hollowing, following which the injected EXE file unpacks two extra recordsdata – OneDrive.exe and Secur32.dll.
OneDrive.exe, a legit signed Microsoft binary, is then abused to sideload Secur32.dll, and in the end execute the shellcode backdoor, however not earlier than establishing persistence on the host by the use of a scheduled job and disabling Microsoft Defender Antivirus.
The backdoor – so named for its use of DNS MX queries for command-and-control (C2) – is designed to assemble system info, run instructions by way of cmd.exe, and carry out fundamental file manipulation operations similar to studying, writing, and deleting recordsdata.
It sends requests to the C2 server (“litterbolo[.]com”) by encoding the information within the subdomain(s) of the Absolutely Certified Area Title (FQDN) in a DNS mail trade (MX) question packet and receives instructions encoded throughout the response packet.
“The backdoor makes use of strategies similar to a number of levels of DLL side-loading and DNS tunneling for command-and-control (C2) communication as a method to evade endpoint and community safety options, respectively,” Tay and Singh stated.
“As well as, the backdoor makes use of evasive strategies like anti-dumping to forestall reminiscence evaluation and hinder forensics safety options.”
There may be at present no indication of the place the malware operators originate from or what their intentions are, however Zscaler stated it recognized two accounts created by them on legal underground boards like blackhatworld[.]com and social-eng[.]ru utilizing the e-mail handle wh8842480@gmail[.]com, which was additionally used to register a site spoofing Superior IP Scanner.
Particularly, the risk actor has been discovered participating in posts providing methods to arrange limitless Google AdSense threshold accounts manner again in June 2023, indicating an curiosity in launching their very own long-lasting malvertising marketing campaign.
“Google Adverts threshold accounts and strategies for abusing them are sometimes traded on BlackHat boards,” the researchers stated. “Many instances they provide a manner for the risk actor so as to add as many credit as attainable to run Google Adverts campaigns.”
“This permits the risk actors to run campaigns with out really paying till the brink restrict. A fairly excessive threshold restrict lets the risk actor run the advert marketing campaign for a big period of time.”