MadMxShell Backdoor
A Google malvertising scheme is using a group of websites that mimic legitimate IP scanner software to distribute a newly discovered backdoor called MadMxShell. The attackers have registered numerous similar-looking domains through typosquatting and are using Google Ads to boost these sites in search results, targeting specific keywords to attract unsuspecting visitors.
Between November 2023 and March 2024, around 45 domains were registered, pretending to be various port scanning and IT management software like Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG and ManageEngine.
While malvertising tactics have been used before to distribute malware through fake websites, this incident marks the first instance of such a method being employed to spread a complex Windows backdoor.
Table of Contents
Threat Actors Lure Users with Fake Websites to Deliver Potent Backdoor Malware
Users who search for these tools are directed to fraudulent websites containing JavaScript code that triggers the download of a malicious file named 'Advanced-ip-scanner.zip' when the download button is clicked.
Within the ZIP archive, there are two files: 'IVIEWERS.dll' and 'Advanced-ip-scanner.exe.' The latter utilizes DLL side-loading to load 'IVIEWERS.dll' and initiate the infection process.
The DLL file injects embedded shellcode into the 'Advanced-ip-scanner.exe' process using a technique called process hollowing. Afterward, the injected EXE file unpacks two additional files – 'OneDrive.exe' and 'Secur32.dll'.
The legitimate signed Microsoft binary 'OneDrive.exe' is exploited to load 'Secur32.dll' and execute the shellcode backdoor. Beforehand, the malware establishes persistence on the host by creating a scheduled task and disabling Microsoft Defender Antivirus.
The MadMxShell Backdoor Performs NumerousThreatening Actions
Named for its utilization of DNS MX queries for Command-and-Control (C2), the MadMxShell backdoor is engineered to gather system data, execute commands via cmd.exe, and conduct fundamental file operations like reading, writing and deleting files.
To communicate with its C2 server ('litterbolo.com'), it encodes data within the subdomains of the Fully Qualified Domain Name (FQDN) in DNS mail exchange (MX) query packets and deciphers commands embedded in response packets.
Employing tactics such as multi-stage DLL side-loading and DNS tunneling for C2 communication, the backdoor aims to elude endpoint and network security measures. Additionally, it employs evasion methods such as anti-dumping to thwart memory analysis and impede forensic security measures.
The Threat Actor behind the MadMxShell Backdoor Has Unknown Goals
There are currently no definitive clues regarding the origin or intentions of the malware operators. However, researchers have uncovered two accounts created by them on criminal underground forums. Specifically, these actors have been observed participating in discussions offering methods to establish unlimited Google AdSense threshold accounts as far back as June 2023, suggesting a keen interest in launching a sustained malvertising campaign.
Accounts and strategies for exploiting Google Ads thresholds are commonly exchanged on BlackHat forums. These methods often provide a means for threat actors to accumulate credits for running Google Ads campaigns without immediate payment, effectively extending the duration of their campaigns. A sufficiently high threshold enables threat actors to sustain their ad campaigns for an extended period.
