Malvertising: Fake Popular Software Ads Deliver New MadMxShell Backdoor

IT professionals are under attack! This article exposes a malicious malvertising campaign targeting IT teams with a novel backdoor named MadMxShell. Learn how attackers use typosquatting and DNS techniques to compromise systems.
Fake Popular Software Ads Deliver New MadMxShell Backdoor

In a recent wave of cyberattacks, IT professionals have become the target of a cunning malvertising campaign uncovered by Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh.

According to the company’s research, this campaign leverages deceptive online advertisements to distribute a previously unseen backdoor named “MadMxShell.” It all started in March 2024, when Zscaler ThreatLabz discovered a threat actor using look-alike domains to distribute MadMxShell, utilizing DLL sideloading, DNS protocol abuse, and memory forensics security solutions.

Researchers believe the attackers have displayed a calculated approach. Between November 2023 and March 2024, attackers registered multiple domain names closely resembling those of popular IP scanner and network administration software, including Advanced IP Scanner, Angry IP Scanner, PRTG IP Scanner by Paessler, Manage Engine, and network admin tasks related to VLANs.

This tactic is known as typosquatting. It creates a high chance that the domains will appear on top searches and IT professionals might click on the malicious advertisement by mistake. 

Once clicked, the ad redirects the user to a landing page designed to look like the genuine software vendor’s website. Here, they’re presented with a downloadable file that, unbeknownst to them, harbours the MadMxShell backdoor.

Fake Popular Software Ads Deliver New MadMxShell Backdoor

New Backdoor with Evasive Techniques

As per Zscaler’s blog post, the MadMxShell backdoor employs a multi-stage deployment process designed to evade detection by traditional security solutions. The initial payload leverages DLL sideloading, a technique where a legitimate program is tricked into loading a malicious library file. This malicious library then downloads additional components that establish communication with the attacker’s command-and-control (C2) server.

One of the most concerning aspects of MadMxShell is its use of DNS MX record queries for C2 communication. This technique leverages the standard Domain Name System (DNS) protocol in an unconventional way to mask communication with the attacker’s infrastructure. Additionally, MadMxShell employs anti-dumping techniques to prevent memory analysis, making it difficult for security researchers to understand its inner workings.

Protecting Your Systems:

To mitigate risks, be cautious of unsolicited ads, enable pop-up blockers, maintain robust security software, and educate employees about the dangers of malvertising and social engineering tactics.

Jason Soroko, Senior Vice President of Products at Sectigo commented on the new campaign. Defenders don’t usually look for malicious control communications (C2) in email exchange DNS traffic, so the attackers in this case found a place to hide. The attackers also employ a technique that blocks the ‘dumping’ of memory for analysis by endpoint security solutions,” Jason explained.

Malvertising isn’t new, however, the malware techniques being used here demonstrate that the technology pipeline of the attackers is deep and a great deal of thought has been put into hiding in the dark corners of networking and operating systems, he wanted.

  1. Provocative Facebook Ads Deliver NodeStealer Malware
  2. New VPN Malvertising Attack Drops OpcJacker Crypto Stealer
  3. Malvertising attack drops malicious Chrome extensions, backdoors
  4. Millions of PornHub users affected by a year-long malvertising attack
  5. Big Head Ransomware Found in Malvertising, Fake Windows Updates
Related Posts