easy-accordion-free
domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init
action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114zoho-flow
domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init
action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114wordpress-seo
domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init
action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114IntroductionBeginning in March of 2024, Zscaler ThreatLabz observed a threat actor weaponizing a cluster of domains masquerading as legitimate IP scanner software sites to distribute a previously unseen backdoor. The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites.<\/p>\n
The newly discovered backdoor uses several techniques such as multiple stages of DLL sideloading, abusing the DNS protocol for communicating with the command-and-control (C2) server, and evading memory forensics security solutions. We named this backdoor \u201cMadMxShell\u201d for its use of DNS MX queries for C2 communication and its very short interval between C2 requests.<\/p>\n
In this blog, we will examine the campaign details, threat actor’s infrastructure, and a detailed technical analysis of the backdoor. We have also shared a custom Python script to decode C2 traffic for malware samples and all the Indicators of Compromise (IOCs) linked to this campaign.<\/p>\n
Key Takeaways
\n Between November 2023 and March 2024, multiple domains were registered by a threat actor spoofing legitimate IP scanners and other software typically used by IT security and network administration teams in enterprises.
\n The threat actor abused Google Ads to conduct a malvertising campaign in an attempt to push their malicious sites to the top of search results.
\n A successful infection results in the delivery of a previously unseen backdoor that we named \u201cMadMxShell\u201d.
\n The backdoor uses techniques such as multiple stages of DLL sideloading and DNS tunneling for command-and-control (C2) communication as a means to evade endpoint and network security solutions, respectively.
\n In addition, the backdoor uses evasive techniques like anti-dumping to prevent memory analysis and hinder forensics security solutions.<\/p>\n
BackgroundThe selection of spoofed software by this threat actor suggests that their targets primarily consist of IT professionals, particularly those in IT security and network administration roles. This aligns with the recent trend observed where advanced persistent threat (APT) groups, such as NOBELIUM, crafted attacks targeting these teams. With their privileged access to internal systems and networks, IT security and network management teams are attractive targets for both APT groups and initial access brokers (IABs) that sell access to compromised networks. Although we have not yet attributed the attack described in this blog to a specific threat actor, it is important to highlight this emerging trend.<\/p>\n
Threat actors have previously leveraged Google malvertising to distribute trojanized versions of a specific port scanning tool called Advanced IP Scanner, as described in reports by Kaspersky, BlackBerry, and Huntress.<\/p>\n
Although the campaign discussed in this blog uses a similar distribution method, the range of spoofed software has been expanded beyond Advanced IP Scanner. Furthermore, to the best of our knowledge, the final malware delivered in this campaign has not been publicly documented before. Due to these significant differences, we assess with a high-confidence level that this campaign was conducted by a different threat actor.<\/p>\n
Attack ChainThe figure below illustrates the multi-stage attack chain at a high level.<\/p>\n
Figure 1: The MadMxShell end-to-end attack-chain, which starts with malvertising, followed by multiple intermediate stages of DLL sideloading, and finally DNS tunneling to the C2 server.<\/p>\n
Technical AnalysisIn the following section, we provide a detailed analysis for each stage of the attack chain.<\/p>\n
Google malvertising campaignThe modus operandi of the threat actor includes registering multiple look-alike domains spoofing popular port scanning software and pushing them to the top of Google search results by running Google Ads campaigns. This technique is widely known as malvertising.<\/p>\n
During our investigation, we observed users being served these ads when they searched for keywords related to any of the following:<\/p>\n
Any of the legitimate port scanning and IT management software spoofed by this threat actor
\n Advanced IP Scanner
\n Angry IP Scanner
\n PRTG IP Scanner by Paessler
\n Manage Engine<\/p>\n
Network admin tasks related to virtual local area networks (VLANs)
\n Scanning IP protocol<\/p>\n
The figure below shows details of the Google Ads campaign carried out by the threat actor in March 2024 for one of the malicious domains. The domain in question was advanced-ip-scanz[.]net, and the search keywords were:<\/p>\n
“advanced ip scanner”
\n “ip address scanner”<\/p>\n
Figure 2: Details of the Google Ads campaign in March 2024 for the malicious domain advanced-ip-scanz[.]net.<\/p>\n
Once the user clicks on any of the attacker-controlled Google Ads, they are redirected to a look-alike site for the corresponding IP scanning software.<\/p>\n
Malicious sitesThe threat actor registered multiple sites masquerading as legitimate IP and port scanner software programs. One such site we observed is advansed-ip-scanner[.]net, which is a look-alike site of the legitimate Advanced IP scanner software www.advanced-ip-scanner[.]com.<\/p>\n
The complete source code of the fraudulent website mirrors the legitimate site, with the exception of minor edits made by the threat actor to JavaScript (JS) code which redirects the user to download a malicious file when they click the download button.<\/p>\n
The figure below shows a comparison between the altered JS code from the malicious file and the original legitimate website. The createFunctionWithTimeout function was modified to redirect users to download a malicious ZIP archive file from the following URL: advansed-ip-scanner[.]net\/yftyudruo.php.<\/p>\n
Figure 3: JavaScript code comparison between the legitimate website\u2019s createFunctionWithTimeout function and the malicious website’s code.<\/p>\n
Backdoor Details – Binary AnalysisStage 1 injectorThe analysis in this blog is based on this ZIP archive: Advanced-ip-scanner.zip (SHA256:7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015).<\/p>\n
The ZIP archive contains two files:<\/p>\n
Advanced-ip-scanner.exe: A renamed copy of the legitimate Microsoft EXE oleview.exe.
\n IVIEWERS.dll: A 22 MB DLL, which contains the stage two payload. This DLL is padded with an unused overlay of 10 MB which prevents scanning by security products that limit the size of analyzed files.<\/p>\n
When Advanced-ip-scanner.exe is run, it sideloads IVIEWERS.dll which executes a series of heavily obfuscated shellcodes extracted from various locations within the .rsrc section of the DLL. The final shellcode extracts and decodes an executable file with the XOR key 5dsadas435235bgdsgdfbvb3253453425345gfdsgfdgdf from resource AT21 of the DLL and injects it into a new Advanced-ip-scanner.exe process via process hollowing.<\/p>\n
Stage 2 dropperThe injected EXE file contains the next stage payloads in resource ID 202, encoded with a hardcoded 8-byte XOR key F2 09 CD 2D 85 CD 1D A3 and compressed with zlib. Each encoded byte in this resource is padded with seven null bytes, resulting in a 10MB file, likely as another anti-scanning technique. This is shown in the figure below.<\/p>\n
Figure 4: The encoded and compressed stage 3 payload in the resource.<\/p>\n
After decoding and decompressing the resource, two files, OneDrive.exe and Secur32.dll, are dropped into %LOCALAPPDATA%MicrosoftOneDriveUpdate.<\/p>\n
The dropper deletes the stage 1 EXE with the following command before executing the dropped OneDrive.exe with ShellExecuteExW:<\/p>\n
cmd.exe \/C for \/l %x in (0,0,0) do (ping -n 3 127.0.0.1 > NUL & for %p in (“<PATH>Advanced-ip-scanner.exe”) do (del \/f \/q %p & if not exist %p exit))Stage 3 launcherOneDrive.exe, a legitimate signed Microsoft EXE, is abused to sideload Secur32.dll which sets up persistence for OneDrive.exe before executing the embedded stage 4 shellcode.<\/p>\n
Data from Secur32.dll\u2019s icon resource ID 202 is XOR decoded to obtain the stage 4 shellcode. This is shown in the figure below.<\/p>\n
Figure 5: The icon resource with the encoded stage 4 payload.<\/p>\n
The first 16 bytes of the resource contain an encoded key for the payload that follows it. Each of the first 8 lowercase characters (onedrive) of the current process filename is added to every second byte of the encoded key to derive the XOR key F2 78 CD 9B 85 32 1D 07 33 C4 A0 21 98 A2 95 E3, as shown in the figure below. This prevents the correct decoding of the next stage payload if Secur32.dll was not sideloaded by OneDrive.exe.<\/p>\n
Figure 6: Generating the XOR key to decode the stage 3 shellcode.<\/p>\n
The malware then attempts to disable Windows Defender by setting HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware to 1 in the registry.<\/p>\n
It configures a scheduled task named \u201cOneDrive Update\u201d that executes %LOCALAPPDATA%MicrosoftOneDriveUpdateOneDrive.exe when the current user logs on to Windows before redirecting to the next stage.<\/p>\n
Stage 4 backdoorThe shellcode is a backdoor that allows the threat actor to collect system information, execute commands via cmd.exe, and perform basic file manipulation operations such as reading, writing, and deleting files.<\/p>\n
To deter analysis and detection, the malware decodes the code of each function with an 8-byte XOR key F2 09 CD 2D 85 CD 1D A3 (same key used in stage 2), calls the function, and then immediately re-encodes the code. In the figure below, the code excerpt on the right is decoded from the original bytes on the left. We can observe that even after decoding, it still needs to perform an additional step of decoding the get_c2_domain function before it can call it. The function code is re-encoded back to its original state before execution continues. This ensures that there is never a fully decoded copy of the shellcode in memory at any point of execution. Most sensitive strings and data, such as the C2 domain, lookup table for encoding\/decoding C2 communications, and aforementioned XOR key, are also stored as stack strings to hinder analysis.<\/p>\n
Figure 7: Function bytes before and after decoding. Note that the decoded function includes calls to decode and encode other functions called within it. <\/p>\n
The malware generates a 4-byte session ID with the CryptGenRandom API and a victim ID by concatenating the hard disk serial number, computer name, and username, and taking the first 8 bytes of its MD5 hash.<\/p>\n
C2 ProtocolThe malware communicates with the C2 server, litterbolo[.]com, by sending requests and receiving commands encoded within DNS MX queries and responses.<\/p>\n
The malware supports the requests described in the table below.<\/p>\n
TypeNameDescription0HeartbeatIndicates that the malware is ready to accept the next command.1RegistrationSent as the first request of a session or when the C2 issues a re-registration command (type 1 command).2Command acknowledgementAcknowledges the receipt of C2 commands.4System info command resultContains system information collected for type 4 commands.5Shell command resultContains shell output for type 5 commands.6File command resultContains file and\/or directory data for type 6 commands.Table 1: A table describing the requests supported by the malware during C2 communication. <\/p>\n
Figure 8: A diagram depicting the MadMxShell C2 communication loop.<\/p>\n
For each session, the malware first sends a registration request (type 1) to the C2 server.<\/p>\n
Once the C2 server acknowledges the registration request, the malware sends a heartbeat request (type 0) to the C2 server.<\/p>\n
The C2 server will respond with any of the following commands from the table below.<\/p>\n
Command TypeSubcommandDescription0N\/ASends a heartbeat.1N\/ARe-register with C2.2N\/AC2 acknowledges receipt of specified packet and indicates that the malware should send the next packet (for request messages split into multiple packets). 4N\/ACollects system information, like:<\/p>\n
Computer name
\n User name
\n Ethernet IP addresses
\n Windows OS version
\n Processor name
\n Display card name
\n RAM size<\/p>\n
50Start cmd.exe process.1Terminate cmd.exe process.2Execute command via existing cmd.exe process created with subcommand ID 0.60List files and directories if path is specified, otherwise list all drives.1Write or append content to file.2Read from file.3Delete file or directory. Files are deleted with the DeleteFileW API, while directories are deleted with this command: cmd.exe \/c rmdir “<DIR_NAME>” \/s \/q.Table 2: The commands and subcommands supported by the malware.<\/p>\n
The malware then acknowledges the command with a command acknowledgement request (type 2) before executing the specified command.<\/p>\n
After completing the commands for types 4, 5, and 6, the malware sends the results to the C2 server. The malware then repeats the entire process by sending a heartbeat request (type 0) to retrieve the next command. <\/p>\n
Data Encoding The malware sends requests to the C2 server by encoding the data in the subdomain(s) of the Fully Qualified Domain Name (FQDN) in a DNS MX query packet. The C2 responds similarly by encoding its commands as subdomain(s) in the corresponding DNS MX response packet.<\/p>\n
Each byte of binary data is converted into a pair of alphanumeric characters using a custom encoding scheme involving a hardcoded 36-character lookup table. Blocks of 60 alphanumeric characters are separated by a \u201c.\u201d character to represent a subdomain name. Python code for decoding these subdomains into the original request and C2 messages can be found in our GitHub repository.<\/p>\n
Because the malware uses a maximum of 224 characters for the FQDN and the C2 domain name cannot be used to encode data, each DNS packet can only transfer up to 103 bytes. Requests and commands that exceed this size are split into multiple DNS packets and are sent sequentially after the other party has acknowledged receipt of the previous packet.<\/p>\n
Possibly due to the limited bandwidth of the C2 protocol, this malware is configured with relatively short intervals (3 seconds) between requests. Because of this, its C2 traffic is significantly more noisy than the typical malware utilizing HTTP for C2 communication.<\/p>\n
Commands received from the C2 (after decoding) are structured as shown in the table below.<\/p>\n
OffsetLengthNameDescription0x04Query numberStarts from 0 per session.0x44ChecksumAdler-32 checksum of entire message data.0x84Packet numberA single message may be split into multiple packets. Starts from 0 for each message.0xC4Message lengthTotal length of the message. This field is only present in the first packet of a message.0x10VariesMessage dataThe first byte of the message contains the command ID. The structure of subsequent bytes differs slightly for each command type.Table 3: The C2 message structure.<\/p>\n
For example, the C2 server for this sample always responds with 33qqooggxr77mdxx88jj6600ev44yyzz9bee99wwuu.litterbolo.com upon receiving a registration request. This is decoded as 00 00 00 00 03 00 0f 00 00 00 00 00 05 00 00 00 02 00 00 00 00 and represents the following message:<\/p>\n
Query number: 0
\n Checksum: 0xF0003
\n Packet number: 0
\n Message length: 5
\n Data: 02 00 00 00 00 (this is an acknowledgement from the C2 that it received packet 0)<\/p>\n
Likewise, the requests sent to the C2 server (before encoding) are structured as shown in the table below.<\/p>\n
OffsetLengthNameDescription0x04Session IDAn ID randomly generated when the malware is started.0x48Victim IDThe first 8 bytes of an MD5 hash of the hard disk serial number, computer name, and user name.0xc4Query numberStarts from 0 per session and is incremented for each DNS query sent to the C2 server.0x104ChecksumThe Adler-32 checksum of entire message data.0x144Packet numberA single message may be split into multiple packets. Starts from 0 for each message.0x184Message lengthTotal length of the message. This field is only present in the first packet of a message.0x1cVariesMessage dataThe first byte of the message contains the request type. Data for the specific request follows it (for example: system information for request type 4).Table 4: The request message structure.<\/p>\n
Observed CommandsDuring our investigation, we observed the backdoor receiving the following commands from the C2 server:<\/p>\n
Collect system information (command type 4).
\n Run systeminfo and ipconfig via cmd.exe (command type 5).
\n Enumerate drives and specific directories, particularly the Windows system directory and user directories (command type 6).<\/p>\n
Some of the commands were received 60 mins to 90 mins after the backdoor registered with the C2 server, which may indicate an anti-analysis technique to defeat sandboxes or actual hands-on activity by the threat actor.<\/p>\n
Based on the capabilities of the stage 4 backdoor and the commands collected, we believe the attacker is likely interested in harvesting and exfiltrating information from infected machines. By focusing on IT teams, this threat actor can target users that have privileged access to sensitive systems (e.g., domain controllers) that can lead to a significant breach.<\/p>\n
Infrastructure DetailsOur analysis started with the domain, advansed-ip-scanner[.]net, that was live at the time of analysis and was serving a payload. WHOIS information for this domain revealed the attacker’s email address used for registration to be wh8842480@gmail.com.<\/p>\n
A quick reverse WHOIS lookup using this email address revealed 45 domains registered between November 2023 and March 2024 to spoof various network scanning and IT management software.<\/p>\n
The complete list of domains used for malware distribution is provided in the IOCs section at the end of this blog.<\/p>\n
These domains were hosted on servers exclusively abused by the threat actor and belonged to the ASNs below:<\/p>\n
AS208312 (REDBYTES, RU)
\n AS16276 (OVH, FR)<\/p>\n
The C2 domain litterbolo[.]com used a dedicated nameserver since the malware abused the DNS protocol for C2 communication.<\/p>\n
OSINT ResearchUpon further Open-Source Intelligence (OSINT) research, we discovered two accounts created by the threat actor on criminal underground forums like blackhatworld[.]com and social-eng[.]ru using the email address wh8842480@gmail.com.<\/p>\n
On the blackhatworld[.]com forum, the threat actor made two posts in a thread related to someone offering methods to bypass the Google Adsense threshold. This aligns with the Google Ads abuse technique used by the threat actor to launch their own malvertising campaign.<\/p>\n
The figures below show two posts made by the threat actor on blackhatworld[.]com expressing interest in this technique and asking to enroll in the course.<\/p>\n
Figure 9: Posts made by the threat actor showing interest in the Google Ads abuse course.<\/p>\n
Google Ads threshold accounts and techniques for abusing them are often traded on BlackHat forums. Many times they offer a way for the threat actor to add as many credits as possible to run Google Ads campaigns. This allows the threat actors to run campaigns without actually paying until the threshold limit. A reasonably high threshold limit lets the threat actor run the ad campaign for a significant amount of time. Once the threshold has reached, they can use the same technique with a new Google Ads account to repeat the process.<\/p>\n
Threat actors often use virtual credit cards (VCC) along with residential proxies to verify these Google Ads accounts and employ various methods to use them up to the maximum threshold.<\/p>\n
This approach effectively enables threat actors to run long lasting malvertising campaigns with a low investment and also avoid account suspension.<\/p>\n
ConclusionThe threat discussed in this blog demonstrates advanced tactics, techniques, and procedures (TTPs), displaying a keen interest in targeting users in the IT security and network administration teams. The threat actor put significant effort into remaining undetected by evading memory forensics and network security controls.<\/p>\n
While we cannot currently attribute this activity to any known threat actor, we continue to monitor any new developments associated with this threat actor and ensure the necessary protections are in place for our customers against these threats.<\/p>\n
We also suggest users follow security best practices and exercise caution when clicking on links appearing in Google search engine results. Users must also ensure to download software only from the official website of the developer.<\/p>\n
Zscaler CoverageFigure 10: Zscaler sandbox detection report<\/p>\n
In addition to sandbox detections, Zscaler\u2019s multilayered cloud security platform detects indicators related to MadMxShell at various levels with the following threat names:<\/p>\n
Win32.Backdoor.MadMxShell<\/p>\n
Indicators Of Compromise (IOCs)File indicatorsSHA256 HashFilenameDescription7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015Advanced-ip-scanner.zipThe ZIP archive contains Advanced-ip-scanner.exe and OneDrive.exe, served by the malicious sites.0263663c5375289fa2550d0cff3553dfc160a767e718a9c38efc0da3d7a4b626Advanced-ip-scanner.exeThe original filename is oleview.exe, a legitimate binary from Microsoft that is vulnerable to DLL sideloading.722a44f6a4718d853d640381e77d1b9815d6f1663603859ff758ded896860cbaIVIEWERS.dllThe malicious DLL sideloaded by oleview.exe.bae2952c7d120d882746658e6d128556ae2498005072c4b7d7590a964b93c315 The IVIEWERS.dll without overlay.6de01c65c994e0e428f5043cb496c8adca96ba18dfd2953335d1f3c9b97c60c5 The stage 2 dropper EXE.9bba4c707de5a66d8c47e3e18e575d43ba8011302dad452230c4b9d6b314ee26OneDrive.exeThe legitimate binary from Microsoft that is vulnerable to DLL sideloading.287a0a80a995f1e62b317cf5faa1db94af6ee9132b0f8483afbd6819aa903d31Secur32.dllThe malicious DLL sideloaded by OneDrive.exe.b5162497bc2b9f1956d2145dd32daa5c99d6803544a0254a9090237628168d94 The icon resource ID 202 in the Secur32.dll which contains the encoded stage 4 backdoor.105e9a8d1014d2939e6b0ada3f24ad4bb6bd21f0155c284c90c7675a1de9d193 The stage 4 backdoor. Network indicators Malware distribution sites
\n advaanced-ip-scanner[.]com
\n advaanced-ip-scanner[.]net
\n advanceb-ip-scanner[.]com
\n advanceb-lp-scanner[.]com
\n advanced-ip-saaner[.]com
\n advanced-ip-scaaner[.]com
\n advanced-ip-scaer[.]com
\n advanced-ip-scaer[.]net
\n advanced-ip-scanel[.]com
\n advanced-ip-scanel[.]net
\n advanced-ip-scanerr[.]com
\n advanced-ip-scanerr[.]net
\n advanced-ip-scanir[.]com
\n advanced-ip-scanir[.]net
\n advanced-ip-scanr[.]com
\n advanced-ip-scanr[.]net
\n advanced-ip-scanz[.]com
\n advanced-ip-scanz[.]net
\n advanced-lp-saanel[.]com
\n advanced-lp-saaner[.]com
\n advanced-lp-scanel[.]com
\n advanced-lp-scannel[.]com
\n advansed-ip-scanner[.]com
\n advansed-ip-scanner[.]net
\n advvanced-ip-scanner[.]com
\n advvanced-ip-scanner[.]net
\n angryipscan[.]net
\n angryipscaner[.]com
\n ipscannerprtg[.]com
\n keystore-explore[.]com
\n manageeengines[.]com
\n manageeengines[.]net
\n managengines[.]com
\n managengines[.]net
\n managengins[.]com
\n managengins[.]net
\n networkipscan[.]com
\n networkscanip[.]com
\n paesslers[.]com
\n prtgscan[.]com<\/p>\n
C2 serverlitterbolo[.]com<\/p>\n
Google Ads linksDateGoogle Ads linkDestinationMarch 5th 2024www.googleadservices[.]com\/pagead\/aclk?sa=L&ai=DChcSEwiN35j_vN2EAxUzGYMDHX4hA34YABABGgJzZg&ae=2&gclid=CjwKCAiAopuvBhBCEiwAm8jaMSAMzoon4dwGsotmQqrkJiOZVKq2nqUgh4h5tTNSLoOP21tibW_TXhoCmoYQAvD_BwE&ohost=www.google.com&cid=CAESVuD2_iSgJRfDJt5uaZ40PZqKlvgj6FO_6U_lr2TzogbqxMcQ-ID9Ciigvk2r4moSqJy-sawYk6hXUSYF7tgUuXPomWtbdnxcslhQNTVii1zjoR-Akmds&sig=AOD64_0RP5d4p4sMCY2XYek62uAF3iWaHQ&q&adurl&ved=2ahUKEwjH15L_vN2EAxVAyqACHRqDBBAQ0Qx6BAgHEAEipscannerprtg[.]comMarch 5th 2024www.googleadservices[.]com\/pagead\/aclk?sa=L&ai=DChcSEwiStfbWpN6EAxVNS38AHbFZBN4YABACGgJvYQ&ase=2&gclid=EAIaIQobChMIkrX21qTehAMVTUt_AB2xWQTeEAAYAyAAEgILlvD_BwE&ohost=www.google.com&cid=CAASJeRo7dvz3CKRm4e4EhXJr2_o-d0_haudokhbkZ505hq6nEa2JOQ&sig=AOD64_3TPRDNISW_jutcN1faBIQQxDOshw&q&nis=6&adurl&ved=2ahUKEwj5q-_WpN6EAxXKL9AFHb3ID4cQ0Qx6BAgEEAEkeystore-explore[.]comMarch 8th 2024www.googleadservices[.]com\/pagead\/aclk?sa=L&ai=DChcSEwjdlN6o3-SEAxVxgoMHHfe-BLIYABACGgJlZg&ase=2&gclid=CjwKCAiAi6uvBhADEiwAWiyRdhpRojhqTPETT3LIoSFRMYLK6PuHStezGHN2xQlXKluURhxieDQGLxoCrdkQAvD_BwE&ohost=www.google.com&cid=CAESVeD2KYxlP2QHuBG9qmLbwT1GsTtxSB9PtbXdt4kQsa_2gvy1Qp0FMaYcMP1wiS7KRVMjU7NX251AxcmT8WLG6KWPCEjLCDv-1uTWiNDdH2fHVm4rXzA&sig=AOD64_0Gk_XdMlDdW3N22zV8ASopY0pLow&q&nis=6&adurl&ved=2ahUKEwi969ao3-SEAxXChP0HHX2IBWsQ0Qx6BAgIEAEprtgscan[.]com MITRE ATT&CK FrameworkIDTacticDescriptionT1583.001Acquire Infrastructure: DomainsThe threat actor registered typosquatting domains and set up fake websites masquerading as legitimate software websites to deliver malware.T1583.002Acquire Infrastructure: DNS ServerThe threat actor configured a DNS server at litterbolo[.]com for C2 communication.T1583.008Acquire Infrastructure: MalvertisingThe threat actor leveraged Google malvertising, targeting search keywords related to IP and port scanners to lure users to visit malicious sites.T1204.002User Execution: Malicious FileThe attack chain is started by the user when they execute the fake Advanced-ip-scanner.exe file.T1574.002Hijack Execution Flow: DLL Side-LoadingThe threat actor leveraged two stages of DLL sideloading to execute the final payload.T1055.012Process Injection: Process HollowingThe threat actor employs process hollowing to inject and execute the stage 2 dropper EXE file.T1562.001Impair Defenses: Disable or Modify ToolsThe stage 3 launcher attempts to disable Windows Defender.T1070.004Indicator Removal: File DeletionThe stage 2 dropper runs a command via cmd.exe to delete the stage 1 EXE from disk.T1053.005Scheduled Task\/Job: Scheduled Task The stage 3 launcher configures for persistence by masquerading as a scheduled task. T1036.004Masquerading: Masquerade Task or ServiceThe scheduled task masquerades as a OneDrive update to execute OneDrive.exe for malware persistence.T1036.005Masquerading: Match Legitimate Name or LocationOneDrive.exe and Secur32.dll are dropped to a subdirectory of %LOCALAPPDATA%MicrosoftOneDrive, which is used by the legitimate OneDrive application.T1027.001Obfuscated Files or Information: Binary Padding IVIEWERS.dll is padded with 10 MB of null bytes to inflate the file size. This tactic can be used to evade security products that have a file size limit for analysis.T1027.007Obfuscated Files or Information: Dynamic API ResolutionMultiple stages use ROR13 API hashing based on the uppercase names of the APIs.T1027.009Obfuscated Files or Information: Embedded PayloadsThe next stage payloads are XOR encoded in the resources of stages 1 to 3.T1082System Information Discovery MadMxShell\u2019s C2 command types 4 and 5 were utilized to enumerate system information and transmit data to the attacker\u2019s C2 server.T1083File and Directory DiscoveryMadMxShell\u2019s C2 command type 6 was utilized to enumerate files and directories on the infected machine.T1033System Owner\/User DiscoveryMadMxShell sends the current username as part of the information collected by command type 4.T1005Data from Local SystemMadMxShell can read files on the infected machine when the C2 command type 6 is issued.T1071.004Application Layer Protocol: DNSMadMxShell abuses the DNS MX queries to establish C2 communication with the C2 server.T1132.002Data Encoding: Non-Standard EncodingC2 traffic uses custom encoding based on a lookup table.T1572Protocol TunnelingThe C2 protocol encodes data within MX queries and responses of the DNS protocol.T1041Exfiltration Over C2 ChannelThe collected data is exfiltrated via C2 communications.AppendixVisit our GitHub repository to access the Python script to decode C2 traffic.\u00a0\u00a0<\/p>\n
\u200b<\/p>\n
The analysis in this blog is based on this ZIP archive: Advanced-ip-scanner.zip (SHA256:7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015).<\/p>\n
The ZIP archive contains two files:<\/p>\n
Advanced-ip-scanner.exe: A renamed copy of the legitimate Microsoft EXE oleview.exe.IVIEWERS.dll: A 22 MB DLL, which contains the stage two payload. This DLL is padded with an unused overlay of 10 MB which prevents scanning by security products that limit the size of analyzed files.<\/p>\n
When Advanced-ip-scanner.exe is run, it sideloads IVIEWERS.dll which executes a series of heavily obfuscated shellcodes extracted from various locations within the .rsrc section of the DLL. The final shellcode extracts and decodes an executable file with the XOR key 5dsadas435235bgdsgdfbvb3253453425345gfdsgfdgdf from resource AT21 of the DLL and injects it into a new Advanced-ip-scanner.exe process via process hollowing.<\/p>\n
The injected EXE file contains the next stage payloads in resource ID 202, encoded with a hardcoded 8-byte XOR key F2 09 CD 2D 85 CD 1D A3 and compressed with zlib. Each encoded byte in this resource is padded with seven null bytes, resulting in a 10MB file, likely as another anti-scanning technique. This is shown in the figure below.<\/p>\n
Figure 4: The encoded and compressed stage 3 payload in the resource.<\/p>\n
After decoding and decompressing the resource, two files, OneDrive.exe and Secur32.dll, are dropped into %LOCALAPPDATA%MicrosoftOneDriveUpdate.<\/p>\n
The dropper deletes the stage 1 EXE with the following command before executing the dropped OneDrive.exe with ShellExecuteExW:<\/p>\n
cmd.exe \/C for \/l %x in (0,0,0) do (ping -n 3 127.0.0.1 > NUL & for %p in (“<PATH>Advanced-ip-scanner.exe”) do (del \/f \/q %p & if not exist %p exit))<\/p>\n
OneDrive.exe, a legitimate signed Microsoft EXE, is abused to sideload Secur32.dll which sets up persistence for OneDrive.exe before executing the embedded stage 4 shellcode.<\/p>\n
Data from Secur32.dll\u2019s icon resource ID 202 is XOR decoded to obtain the stage 4 shellcode. This is shown in the figure below.<\/p>\n
Figure 5: The icon resource with the encoded stage 4 payload.<\/p>\n
The first 16 bytes of the resource contain an encoded key for the payload that follows it. Each of the first 8 lowercase characters (onedrive) of the current process filename is added to every second byte of the encoded key to derive the XOR key F2 78 CD 9B 85 32 1D 07 33 C4 A0 21 98 A2 95 E3, as shown in the figure below. This prevents the correct decoding of the next stage payload if Secur32.dll was not sideloaded by OneDrive.exe.<\/p>\n
Figure 6: Generating the XOR key to decode the stage 3 shellcode.<\/p>\n
The malware then attempts to disable Windows Defender by setting HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware to 1 in the registry.<\/p>\n
It configures a scheduled task named \u201cOneDrive Update\u201d that executes %LOCALAPPDATA%MicrosoftOneDriveUpdateOneDrive.exe when the current user logs on to Windows before redirecting to the next stage.<\/p>\n
The shellcode is a backdoor that allows the threat actor to collect system information, execute commands via cmd.exe, and perform basic file manipulation operations such as reading, writing, and deleting files.<\/p>\n
To deter analysis and detection, the malware decodes the code of each function with an 8-byte XOR key F2 09 CD 2D 85 CD 1D A3 (same key used in stage 2), calls the function, and then immediately re-encodes the code. In the figure below, the code excerpt on the right is decoded from the original bytes on the left. We can observe that even after decoding, it still needs to perform an additional step of decoding the get_c2_domain function before it can call it. The function code is re-encoded back to its original state before execution continues. This ensures that there is never a fully decoded copy of the shellcode in memory at any point of execution. Most sensitive strings and data, such as the C2 domain, lookup table for encoding\/decoding C2 communications, and aforementioned XOR key, are also stored as stack strings to hinder analysis.<\/p>\n
Figure 7: Function bytes before and after decoding. Note that the decoded function includes calls to decode and encode other functions called within it. \u00a0<\/p>\n
The malware generates a 4-byte session ID with the CryptGenRandom API and a victim ID by concatenating the hard disk serial number, computer name, and username, and taking the first 8 bytes of its MD5 hash.<\/p>\n
The malware communicates with the C2 server, litterbolo[.]com, by sending requests and receiving commands encoded within DNS MX queries and responses.<\/p>\n
The malware supports the requests described in the table below.<\/p>\n