Security researchers uncovered a sophisticated malvertising campaign targeting IT professionals, particularly those in security and network administration roles.
The threat actor behind this attack has been leveraging Google Ads to distribute trojanized versions of popular IP scanning and IT management software.
Attack Chain
The attack begins with the threat actor registering multiple look-alike domains that spoof well-known network scanning tools, such as Advanced IP Scanner, Angry IP Scanner, and PRTG IP Scanner.
They then run Google Ads campaigns to push these malicious domains to the top of search results for relevant keywords.
Free Live Webinar for DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors - Register Here.
When unsuspecting users click on the malicious ads, they are redirected to the spoofed websites, which have been carefully crafted to mimic legitimate software.
The websites contain modified JavaScript code that redirects users to download a malicious ZIP archive file.
The ZIP archive contains a renamed copy of the legitimate Microsoft EXE oleview.exe and a large DLL file named IVIEWERS.dll.
When the Advanced-ip-scanner.exe file is executed, it sideloads the IVIEWERS.dll, injecting a heavily obfuscated payload into a new Advanced-ip-scanner.exe process.
This payload is a multi-stage backdoor called “MadMxShell,” allowing the threat actor to collect system information, execute commands via cmd.exe, and perform basic file manipulation operations.
Zscaler recently published an article stating that attackers are using weaponized IP scanners to target Google Ads infrastructure through poisoned ads.
Technical Details
Malvertising Campaign
The threat actor has registered numerous domains that spoof popular network scanning and IT management software, such as:
- advansed-ip-scanner[.]net (a look-alike of www.advanced-ip-scanner[.]com)
- angry-ip-scaner[.]net (a look-alike of www.angryip.org)
- prtg-ip-scanner[.]net (a look-alike of www.paessler.com/prtg)
They then run Google Ads campaigns targeting keywords related to these tools and general IT management tasks to drive traffic to their malicious websites.
The fraudulent websites’ source code closely mirrors that of the legitimate software websites, except for minor edits to the JavaScript code.
These modifications redirect users to download a malicious ZIP archive file when they click the download button.
JavaScript code comparison between legitimate and malicious websites.
The malware uses a multi-stage attack chain, with the final payload being a backdoor dubbed “MadMxShell.”
This backdoor can collect system information, execute commands via cmd.exe, and perform file manipulation operations.
It communicates with the command-and-control (C2) server, litterbolo[.]com, using a custom DNS-based protocol to evade detection.
It encodes the requests and responses within the DNS MX queries and responses subdomains.
C2 Communication Protocol
The malware supports the following types of requests and commands:
Type | Name | Description |
0 | Heartbeat | Indicates that the malware is ready to accept the next command. |
1 | Registration | Sent as the first request of a session or when the C2 issues a re-registration command. |
2 | Contains file and directory data for type 6 commands. | Acknowledges the receipt of C2 commands. |
4 | System info command result | Contains system information collected for type 4 commands. |
5 | Shell command result | Contains shell output for type 5 commands. |
6 | File command result | Contains file and/or directory data for type 6 commands. |
The C2 server can respond with various commands, such as collecting system information, executing commands via cmd.exe, and manipulating files and directories.
The investigation revealed that the threat actor has registered numerous domains using the email address [email protected] to spoof various network scanning and IT management software.
These domains were hosted on servers belonging to the following Autonomous System Numbers (ASNs):
- AS208312 (REDBYTES, RU)
- AS16276 (OVH, FR)
The C2 domain litterbolo[.]com used a dedicated nameserver, as the malware abused the DNS protocol for its C2 communication.
OSINT Research
Further open-source intelligence (OSINT) research uncovered that the threat actor had created accounts on criminal underground forums, such as blackhatworld[.]com and social-eng[.]ru, using the same email address ([email protected]).
On the blackhatworld[.]com forum, the threat actor expressed interest in techniques for bypassing the Google Adsense threshold, which aligns with the malvertising tactics observed in this campaign.
Posts made by the threat actor showing interest in the Google Ads abuse course.
This sophisticated malvertising campaign, which targets IT professionals, particularly those in security and network administration roles, highlights the ongoing threat posed by advanced persistent threat (APT) groups and initial access brokers (IABs).
By leveraging spoofed software and abusing Google Ads, the threat actor could distribute a powerful backdoor capable of harvesting sensitive information and providing remote access to infected systems.
The security community must remain vigilant and educate IT teams on the risks of downloading software from untrusted sources, even if they appear legitimate.
Implementing robust security measures, such as network monitoring, endpoint protection, and user awareness training, can help mitigate the impact of such attacks.
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP