A new malvertising campaign on Google uses multiple counterfeit domains that mimic legitimate IP scanning tools to distribute a backdoor known as MadMxShell. Identified by Zscaler ThreatLabz researchers Sudeep Singh and Roy Tay, the campaign tricks users into downloading malicious software without them noticing.
Dangerous Domains and Deceptive Downloads
The researchers explained, “The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites.”
Comparison of JavaScript code from a legitimate site and its malicious counterpart (Source: Zscaler ThreatLabz)
Reportedly, the attackers set up around 45 fake domains between November 2023 and March 2024. These sites posed as popular port scanning and IT management software, including names like Advanced IP Scanner and Angry IP Scanner, among others.
A Closer Look at the Malware Mechanism
Users lured to these deceptive websites encounter a download button that, when clicked, initiates the download of a ZIP file called Advanced-ip-scanner.zip. This file contains a DLL file named IVIEWERS.dll and an executable known as Advanced-ip-scanner.exe, which employs a technique known as DLL side-loading to activate the malware.
The DDL file injects malicious code into the Advanced-ip-scanner.exe process. This method, known as process hollowing, is just the beginning. It subsequently unpacks additional malware components which cleverly use legitimate Microsoft software to disguise their harmful activities.
The malware sets up a backdoor in the infected machine, cleverly named MadMxShell due to its use of DNS MX queries to connect to its command-and-control server. This backdoor can execute commands, manipulate files, and gather system information, transmitting data covertly through DNS queries.
“The backdoor uses techniques such as multiple stages of DLL side-loading and DNS tunneling for command-and-control (C2) communication as a means to evade endpoint and network security solutions, respectively,” the researchers added. They also noted its use of anti-dumping tactics to avoid detection through memory analysis.
The Culprits Behind the Campaign
The origins and motives of the malware operators remain unclear, but Zscaler researchers have linked them to two accounts on underground forums such as blackhatworld[.]com and social-eng[.]ru.
These accounts are associated with the email address wh8842480@gmail[.]com, which was also used for registering a domain that impersonates Advanced IP Scanner.
Additionally, the threat actor has been active in discussions dating back to June 2023, about setting up unlimited Google AdSense threshold accounts. This activity suggests that they are keen on initiating a sustained malvertising campaign.
Final Word
The importance of vigilance when it comes to downloading software online cannot be understated. Users are advised to only visit trusted websites and verify the authenticity of any software download to protect against such sophisticated threats.