April 18, 2024 at 01:10AM
A new malvertising campaign by Google uses multiple fake domains to distribute the backdoor “MadMxShell,” targeting users searching for IP scanning and IT management software. The Windows backdoor is distributed through JavaScript code and DLL side-loading, using DNS MX queries for command-and-control. The threat actor’s origins and motivations are currently unknown.
Certainly! Here are the key takeaways from the meeting notes:
– A new Google malvertising campaign has been identified, utilizing look-alike domains and Google Ads to distribute a sophisticated Windows backdoor called MadMxShell.
– The threat actor has registered multiple look-alike domains using typosquatting techniques, leveraging Google Ads to push these domains to the top of search engine results.
– Victims who visit these sites are prompted to download a malicious file (“Advanced-ip-scanner.zip”) upon which a DLL file and executable are unpacked.
– The backdoor utilizes DNS MX queries for command-and-control communication, encoding and decoding data in subdomains, evading endpoint and network security measures.
– The threat actor originated two accounts on criminal underground forums using the email address wh8842480@gmail[.]com, indicating interest in launching a long-lasting malvertising campaign.
If you need any further information or particular details, please feel free to ask!