A new Google malvertising campaign is leveraging a group of domains that mimic legitimate IP scanning software to deliver a previously unknown backdoor dubbed MadMxShell.
“The threat actor registered multiple similar domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results by targeting specific search keywords, thus enticing victims to visit these sites ,” Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh said.
As many as 45 domains are said to have been registered between November 2023 and March 2024, with the sites masquerading as port scanning and IT management software such as Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG and ManageEngine.
While this is not the first time threat actors have targeted malvertising techniques to distribute malware via similar sites, the development marks the first time the distribution vehicle has been used to propagate a sophisticated Windows backdoor.
Therefore, users who end up searching for such tools are shown fake sites that include JavaScript code designed to download a malicious file (“Advanced-ip-scanner.zip”) by clicking the download button.
Inside the ZIP archive is a DLL file (“IVIEWERS.dll”) and an executable (“Advanced-ip-scanner.exe”), the latter of which uses DLL sideloading to load the DLL and enable infection sequence.
The DLL file is responsible for injecting shellcode into the “Advanced-ip-scanner.exe” process via a technique called process flushing, following which the injected EXE file decompresses two additional files: OneDrive.exe and Secur32.dll.
OneDrive.exe, a signed legitimate Microsoft binary, is then misused to sideload Secur32.dll and ultimately execute the shellcode backdoor, but not before setting persistence on the host via a scheduled task and disabling Microsoft Defender Antivirus.
The backdoor, named for its use of DNS MX queries for command and control (C2), is designed to gather system information, execute commands via cmd.exe, and perform basic file manipulation operations such as read, write, and delete File.
Send requests to the C2 server (“litterbolo[.]com”) by encoding the data in the fully qualified domain name (FQDN) subdomains in a Mail Exchange (MX) DNS query packet and receives commands encoded within the response packet.
“The backdoor uses techniques such as multiple stages of DLL sideloading and DNS tunneling for command and control (C2) communication as a means to evade endpoint and network security solutions, respectively,” Tay and Singh said.
“Additionally, the backdoor uses evasive techniques such as anti-dumping to prevent memory analysis and hinder forensic security solutions.”
There is currently no indication where the malware operators are coming from or what their intentions are, but Zscaler said it has identified two accounts created by them on underground criminal forums such as blackhatworld[.]com and social-eng[.]ru using the email address wh8842480@gmail[.]com, also used to register an Advanced IP Scanner spoofing domain.
Specifically, the threat actor was found engaging in posts offering ways to set up Google AdSense unlimited threshold accounts in June 2023, indicating his interest in launching his own long-running malvertising campaign.
“Google Ads threshold accounts and techniques for abusing them are often traded on BlackHat forums,” the researchers said. “Many times they offer the threat actor the ability to add as many credits as possible to run Google Ads campaigns.”
“This allows threat actors to run campaigns without actually paying up to the threshold limit. A reasonably high threshold limit allows threat actors to run the advertising campaign for a significant period of time.”