New malware
Security researchers have uncovered a dangerous Google Ads campaign that has been circulating, promoting a phony IP scanner software. The campaign, identified by cybersecurity experts from Zscaler Threat Labs, involves hackers impersonating legitimate software companies to distribute a sophisticated Windows backdoor. This operation ran between November 2023 and March 2024, during which threat actors created at least 45 typosquatted domains resembling well-known software brands like Advanced IP Scanner, Angry IP Scanner, IP Scanner PRTG, and ManageEngine.
Through an elaborate scheme, the attackers managed to advertise these malicious sites on Google Ads, potentially by compromising a legitimate Google Ads account. As a result, unsuspecting individuals searching for IP scanning software would encounter these deceptive ads at the top of their search results and other ad placements. Users who unwittingly downloaded the software offered on these sites would unknowingly install the MadMxShell backdoor onto their systems, as reported by The Hacker News.
The MadMxShell backdoor represents a novel form of malware with intricate infection mechanisms, employing various DLL and EXE files in its execution. This malicious software utilizes advanced evasion techniques, including multiple stages of DLL side-loading and DNS tunneling for command-and-control communication, to bypass traditional security measures. Moreover, the backdoor employs anti-dumping methods to thwart memory analysis and impede forensic security solutions, making it a potent threat to users’ personal information and system security.
While the exact identity and motivations of the perpetrators behind this malicious advertising campaign remain unclear, the potential risks posed by backdoor malware are extensive. Such malware can be exploited for purposes ranging from data theft and espionage to unauthorized system access, establishing persistence, and remote control over compromised systems.
