Hidden Backdoor Uncovered: Fake IP Scanner Software Exploited via Malicious Google Ads

Fake IP Scanner Software, Google Ads, Hidden Backdoor, Malicious

Title: Unveiling a New Google Malvertising Campaign and the Sophisticated Backdoor Exploited


In recent years, the rise of malvertising campaigns has posed severe threats to internet users. These campaigns take advantage of ads displayed on legitimate websites to distribute malware. Malvertising attacks often deceive users by redirecting them to fraudulent websites or downloading malicious files onto their devices. In a new development, a Google malvertising campaign has emerged that employs a sophisticated backdoor called MadMxShell. This article will delve into the details of this campaign and discuss its implications for cybersecurity.

Google Malvertising Campaign: Techniques and Methodology

Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh discovered a cluster of domains employed by threat actors to execute the malvertising campaign. These domains mimicked legitimate IP scanner software, including popular tools like Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine. The threat actors utilized a typosquatting technique to register multiple look-alike domains and leveraged Google Ads to elevate these domains to the top of search engine results. This strategic placement aimed to entice victims to visit these sites and inadvertently download the malicious files.

The Infection Sequence:

Upon landing on the bogus sites, users were prompted to download a zip file named “” by clicking on a deceptive download button. Inside the ZIP archive, victims unknowingly downloaded a DLL file (“IVIEWERS.dll”) and an executable file (“Advanced-ip-scanner.exe”). The DLL file adopted a technique called process hollowing to inject shellcode into the “Advanced-ip-scanner.exe” process, resulting in the unpacking of two additional files: OneDrive.exe and Secur32.dll.

By exploiting the legitimate Microsoft binary OneDrive.exe, the attackers sideloaded Secur32.dll and activated the shellcode backdoor. To maintain persistence on the host system, the malware established a scheduled task and disabled Microsoft Defender Antivirus. This sophisticated Windows backdoor, dubbed MadMxShell, relied on DNS MX queries for command-and-control (C2) communication.

Functionality and Evasion Techniques:

MadMxShell, the backdoor component of the campaign, exhibits various functionalities aimed at system manipulation and data exfiltration. It collects system information, executes commands via cmd.exe, and performs essential file manipulation operations such as reading, writing, and deleting files. The backdoor communicates with the C2 server (“litterbolo[.]com”) by encoding data within the subdomains of Fully Qualified Domain Names (FQDN) using DNS mail exchange (MX) query packets.

To evade detection, the backdoor employs multiple stages of DLL side-loading and DNS tunneling for C2 communication. Additionally, it utilizes anti-dumping techniques to impede memory analysis and hinder forensic security solutions. These evasion techniques make it challenging to detect and mitigate the presence of the backdoor.

Investigating the Threat Actors:

While the origin and intentions of the malware operators remain unknown, Zscaler identified two accounts associated with the campaign on criminal underground forums. These forums, including blackhatworld[.]com and social-eng[.]ru, were utilized by the threat actors to offer services related to Google AdSense threshold accounts.

This indicates the attackers’ interest in establishing a long-lasting malvertising campaign. Google AdSense threshold accounts are often traded in black-hat forums and allow threat actors to run ad campaigns without paying until the threshold limit is reached. This higher threshold enables a significant duration for running the malicious campaign.


The emergence of a Google malvertising campaign employing the sophisticated backdoor MadMxShell raises alarm bells in the cybersecurity community. The use of typosquatting and Google Ads creates an avenue for threat actors to distribute malware effectively. By mimicking legitimate software, the attackers exploit users’ trust and lead them to download malicious files unknowingly. The advanced techniques employed, including DLL side-loading, process hollowing, and DNS tunneling, showcase the evolving tactics of cybercriminals.

To combat such campaigns, it is crucial for users to exercise caution while downloading files from the internet and to update their endpoint security solutions regularly. Additionally, organizations should implement robust network security measures to detect and mitigate malvertising attacks effectively.

With the growing sophistication of malware, continuous vigilance and proactive cybersecurity measures are necessary to safeguard against emerging threats.

Source link

Leave a Comment