Vulnerability Management, Malware

‘MadMxShell’ leverages Google Ads to deploy malware via Windows backdoor

The Google Ads logo and app on a home page.

An undetermined threat actor was observed weaponizing a cluster of domains masquerading as legitimate IP scanner software sites to distribute malware via a previously unseen Windows backdoor.

In a blog post April 17, Zscaler ThreatLabz said the threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these fraudulent domains to the top of search engine results targeting specific search keywords, thereby luring potential victims to these IP scanner sites.

The Zscaler researcher said the newly discovered backdoor uses several techniques such as multiple stages of Windows DLL sideloading, abusing the DNS protocol for communicating with the command-and-control (C2) server, and evading memory forensics security solutions.

Zscaler dubbed this backdoor “MadMxShell” for its use of DNS MX queries for C2 communication and its very short interval between C2 requests.

“The selection of spoofed software by this threat actor suggests that their targets primarily consist of IT professionals, particularly those in IT security and network administration roles,” wrote the researchers. “This aligns with the recent trend observed where advanced persistent threat groups such as Nobelium crafted attacks targeting these teams.”

The MadMxShell campaign stands out as a particularly unique and dangerous Windows backdoor because of its multi-pronged approach, said Sarah Jones, cyber threat intelligence research analyst at Critical Start. Jones said unlike most backdoors that cast a wide net, MadMxShell targets a specific group: IT security and network administration teams.

Targeting security pros has greater impact than just stolen credentials

“These individuals hold privileged access to a network's most critical systems and data,” said Jones. “A successful attack could provide attackers with an easy path to the most valuable assets. Furthermore, the campaign leverages a clever social engineering tactic through malvertising. By using look-alike domains of popular IT security and network management software, they trick IT professionals into trusting the source and downloading the malware.” 

To make matters worse, Jones added that MadMxShell employs multiple layers of obfuscation, making it extremely difficult to detect the malicious content hidden within. “Traditional security software might be rendered useless against this complexity,” Jones said.  

As long as malvertising remains successful, Xen Madden cybersecurity expert at Menlo Security said we'll likely see many types of malware pivoting to use this delivery method, marking a series of unfortunate firsts. Madden said we can’t overstate the significance of the Windows backdoors, as they grant threat actors full access to manipulate systems as they wish.

“This access could be followed by a large-scale ransomware attack on any company that falls for the malvertising,” said Madden. “It has a larger impact than just stolen credentials which can be changed quickly.”

Cyware Director Emily Phelps said unlike traditional malvertising, which might extend to relatively straightforward installations and phishing attempts, a Windows backdoor provides persistent access to a victim’s system.

“This backdoor lets attackers gain unauthorized access to a victim’s computer system, potentially leading to data theft, surveillance, and further distribution of malware," said Phelps. “The ability to remotely control the system can enable attackers to manipulate or disrupt operations, posing security risks to personal, corporate, and government networks. It can also be challenging to detect and remove backdoors once installed, making the infected systems vulnerable to ongoing exploits.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.