Google’s new malvertising campaign leverages a cluster of domains that mimic legitimate IP scanner software to deliver previously unknown backdoors. mad max shell.
Roy Tay and Sudeep, researchers at Zscaler ThreatLabz, said, “Threatening attackers can use typosquatting techniques to register multiple similar domains and leverage Google Ads to target specific search terms. “The attackers pushed these domains to the top of search engine results and directed victims to these sites.” Shin said.
It is said that 45 domains were registered between November 2023 and March 2024, and sites masquerading as IT management software such as port scan, Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine were registered. There is.
While this is not the first time threat actors have utilized malvertising techniques to distribute malware via lookalike sites, this development marks the first time that delivery methods are being used to propagate sophisticated Windows backdoors. It’s my first time.
Therefore, users who end up searching for such tools are warned that they will receive a fake email containing JavaScript code designed to download a malicious file (“Advanced-ip-scanner.zip”) when they click on the download button. The site will be displayed.
Inside the ZIP archive is a DLL file (“IVIEWERS.dll”) and an executable file (“Advanced-ip-scanner.exe”). The latter uses his DLL sideloading to load his DLL and activate the infection sequence.
The DLL file is responsible for injecting shellcode into the “Advanced-ip-scanner.exe” process through a technique called process helloing, and the injected EXE file then creates two additional files (OneDrive.exe and Secur32.dll).
OneDrive.exe, a legitimate signed Microsoft binary, is then exploited to sideload Secur32.dll and ultimately execute the shellcode backdoor, but not before a scheduled task runs it on the host. Set persistence and disable Microsoft Defender Antivirus.
The backdoor, so named because it uses DNS MX queries for command and control (C2), collects system information, executes commands via cmd.exe, and performs basic operations such as reading, writing, and deleting. It is designed to perform file manipulation operations. File.
Send the request to the C2 server (“litterbolo”).[.]com”) encodes fully qualified domain name (FQDN) subdomain data in DNS Mail Exchange (MX) query packets and receives encoded commands in response packets.
“Backdoors use techniques such as multiple stages of DLL sideloading and DNS tunneling for command and control (C2) communications as a means to evade endpoint and network security solutions, respectively,” Tay and Singh wrote. says Mr.
“Additionally, backdoors use evasion techniques such as anti-dumping to prevent memory analysis and thwart forensic security solutions.”
There is currently no indication as to the origins or intentions of the malware operators, but Zscaler said they have identified two accounts they created on criminal underground forums like blackhatworld.[.]com and Social Engine[.]using the email address wh8842480@gmail[.]com was also used to register the domain spoofing Advanced IP Scanner.
Specifically, the attacker was found to be involved in a post in June 2023 that provided instructions on how to set up an unlimited Google AdSense threshold account, and was involved in a long-term unique malvertising campaign. They have expressed interest in starting a campaign.
“Google Ads threshold accounts and their exploitation techniques are frequently traded on BlackHat forums,” the researchers said. “Often, attackers offer ways to add as many credits as possible to run Google Ads campaigns.”
“This allows threat actors to run campaigns without actually paying up to the threshold limit. With a reasonably high threshold limit, threat actors can run advertising campaigns for a significant amount of time.”