A false version of a popular tool used by network administrators to manage local area networks provides an attacker with backdoor access and has impacted at least 80 organizations around the world, according to new research from Kaspersky.
Software supply chain attacks have become more common among cybercriminals in recent years, but in this case, researchers say it is rare to see a backdoored binary that is signed, which is the case with AdvancedIPSpyware. It's most likely that the certificate attackers used to sign the malware-laced version was stolen.
Kaspersky's Jornt van der Wiel noted in comments provided to SC Media that Advanced IP Scanner is typically used by large organizations to provide system administrators with an overview of their network, and security enthusiasts insight into operations of devices in their home network. "Because of anonymization, we cannot see what organizations have the backdoored version of this tool installed," he said. "However, given the target audience of Advanced IP Scanner, we believe with medium confidence that the target audience of the backdoored version is the same."
According to the report, the malware was hosted on two sites, whose domains are almost identical to the legitimate Advanced IP Scanner website, differing only by one the letter. The websites look the same, with the only difference being the 'free download' button on the malicious websites.
The report found the malicious version of the tool has infected more than 80 entities across a wide geographic footprint, including Western Europe, Latin America, Africa, South Asia, and countries within the Commonwealth of Independent States.
While researchers did not mention victims in North America, van der Wiel told SC Media that could be due to "limited visibility."
Indeed, John Shier, a senior security advisor for Sophos, told SC Media that Advanced IP Scanner is a popular tool for attackers and is also used within a substantial number of U.S.-based organizations.
“The primary use of this tool in our dataset was for network discovery, which we found in 21% of cases, compared to 12% in 2020. It was found in 23% of victims from the U.S,” Shier noted in an email.
SC Media has reached out to Kaspersky for more details on the malware’s victim set.
The report also noted that modular architecture is another distinctive feature of AdvancedIPSpyware. While it is typically associated with nation-state sponsored malware, the attacks were not targeted at any particular entity or industry in this case, which confirms that AdvancedIPSpyware is likely not related to a politically motivated campaign.
Specifically, Kaspersky experts found three modules that connect with one another via IPC — main module that updates or deletes itself, command execution model that involves typical spyware functionality, and network communication module that handles all network-related tasks.
In addition to its utility providing initial access to victim environments, Shier questioned whether the backdoored version could also potentially act as a criminal version of “corporate espionage.”
“An unintended side effect would be that the criminals behind the backdoored version could now have access to the victims of other criminals unknowingly using the trojanized version,” Shier said.
