A brand new Google malvertising marketing campaign is leveraging a cluster of domains mimicking a reliable IP scanner software program to ship a beforehand unknown backdoor dubbed MadMxShell.
“The risk actor registered a number of look-alike domains utilizing a typosquatting method and leveraged Google Adverts to push these domains to the highest of search engine outcomes concentrating on particular search key phrases, thereby luring victims to go to these websites,” Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh mentioned.
As many as 45 domains are mentioned to have been registered between November 2023 and March 2024, with the websites masquerading as port scanning and IT administration software program akin to Superior IP Scanner, Offended IP Scanner, IP scanner PRTG, and ManageEngine.
Whereas this isn’t the primary time risk actors are banking on malvertising methods to serve malware through lookalike websites, the event marks the primary time the supply car is getting used to propagate a classy Home windows backdoor.
Thus, customers who find yourself trying to find such instruments are displayed bogus websites that embrace JavaScript code designed to obtain a malicious file (“Superior-ip-scanner.zip”) upon clicking the obtain button.
Current inside the ZIP archive is a DLL file (“IVIEWERS.dll”) and an executable (“Superior-ip-scanner.exe”), the latter of which makes use of DLL side-loading to load the DLL and activate the an infection sequence.
The DLL file is accountable for injecting the shellcode into the “Superior-ip-scanner.exe” course of through a method known as course of hollowing, following which the injected EXE file unpacks two further information – OneDrive.exe and Secur32.dll.
OneDrive.exe, a reliable signed Microsoft binary, is then abused to sideload Secur32.dll, and in the end execute the shellcode backdoor, however not earlier than establishing persistence on the host by way of a scheduled activity and disabling Microsoft Defender Antivirus.
The backdoor – so named for its use of DNS MX queries for command-and-control (C2) – is designed to assemble system info, run instructions through cmd.exe, and carry out primary file manipulation operations akin to studying, writing, and deleting information.
It sends requests to the C2 server (“litterbolo[.]com”) by encoding the info within the subdomain(s) of the Absolutely Certified Area Identify (FQDN) in a DNS mail trade (MX) question packet and receives instructions encoded inside the response packet.
“The backdoor makes use of methods akin to a number of phases of DLL side-loading and DNS tunneling for command-and-control (C2) communication as a way to evade endpoint and community safety options, respectively,” Tay and Singh mentioned.
“As well as, the backdoor makes use of evasive methods like anti-dumping to forestall reminiscence evaluation and hinder forensics safety options.”
There may be at the moment no indication of the place the malware operators originate from or what their intentions are, however Zscaler mentioned it recognized two accounts created by them on prison underground boards like blackhatworld[.]com and social-eng[.]ru utilizing the e-mail tackle wh8842480@gmail[.]com, which was additionally used to register a site spoofing Superior IP Scanner.
Particularly, the risk actor has been discovered partaking in posts providing methods to arrange limitless Google AdSense threshold accounts means again in June 2023, indicating their curiosity in launching their very own long-lasting malvertising marketing campaign.
“Google Adverts threshold accounts and methods for abusing them are sometimes traded on BlackHat boards,” the researchers mentioned. “Many occasions they provide a means for the risk actor so as to add as many credit as doable to run Google Adverts campaigns.”
“This enables the risk actors to run campaigns with out really paying till the brink restrict. A fairly excessive threshold restrict lets the risk actor run the advert marketing campaign for a major period of time.”