Malicious actors are distributing a new backdoor, MadMxShell, through a Google Ads campaign that impersonates an IP scanner. This Windows backdoor leverages DNS MX queries for communication with its command-and-control server.
The technique involves encoding data within subdomains of DNS MX queries to send information to the attacker and receiving commands encoded within the response packets.
network tab shows attempts to make DNS requests to C2
Advertisers are using malvertising, placing malicious ads disguised as legitimate software, to spread a sophisticated Windows backdoor called MadMxShell for the first time, which highlights a new tactic for delivering advanced malware.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
-
Real-time Detection
-
Interactive Malware Analysis
-
Easy to Learn by New Security Team members
-
Get detailed reports with maximum data
-
Set Up Virtual Machine in Linux & all Windows OS Versions
-
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
The attackers exploited Google Ads by registering domains imitating popular IP scanner software, tricking users into downloading the backdoor, bypassing traditionalmalware detection methods and emphasizing the need for increased vigilance against malvertising.
Diagram of the infection chain. Source: Zscaler
An attacker leverages social engineeringtactics to deceive a user searching for legitimate IP scanning tools, where the user is tricked into clicking on a malicious Google ad that directs them to a typosquatted domain mimicking a popular download site.
Upon clicking the download button on this fake site, a malicious ZIP archive disguised as a legitimate IP scanner (“Advanced-ip-scanner.zip”) is downloaded.
The archive contains two malicious files: “IVIEWERS.dll” and “Advanced-ip-scanner.exe”, which are likely designed to exploit vulnerabilities in the user’s system or establish persistence to maintain unauthorized access for malicious purposes.
Advanced-ip-scanner.exe leverages DLL side-loading to inject the malicious IVIEWERS.dll during execution, which then employs process hollowing to replace the legitimate memory of Advanced-ip-scanner.exe with its own malicious shellcode.
MadMxShell, a backdoor malware, injects into Advanced-ip-scanner.exe and unpacks two files: a legitimate OneDrive.exe and a malicious Secur32.dll. It leverages OneDrive.exe’s trusted status to sideload Secur32.dll, which creates a persistent scheduled task and executes the backdoor shellcode.
What is ANY.RUN?
Key Features of ANY.RUN:
-
Enhanced Team Collaboration : The platform facilitates easy sharing of analysis results among team members. Senior analysts can also review the work of junior colleagues by accessing recordings of their analysis sessions.
