Security researchers have spotted another malicious advertising campaign in Google Ads that sees hackers impersonating multiple legitimate software companies.
While definitely not the first of its kind, this campaign was said to be unique for distributing a sophisticated Windows backdoor.
The campaign was first spotted by cybersecurity researchers from Zscaler Threat labs, who noted between November 2023, and March 2024, unidentified threat actors registered at least 45 domains. All of them were typosquatted versions of port scanning and IT management software companies, such as Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine.
New malware
Then, they somehow managed to create an ad campaign on Google Ads to promote these sites. Usually, hackers would do it by obtaining access to a legitimate Google Ads account, possibly one with a proven track record of “clean” ads.
Consequently, whoever would search for this type of software on Google would be presented with these ads in the top of the search engine results page, as well as in other locations reserved for ads. Those who would open the site, and download the programs offered there, would end up getting the MadMxShell backdoor.
This backdoor, The Hacker News reports, is a brand new piece of malware. Its infection chain is relatively long, and includes multiple DLL and EXE files.
“The backdoor uses techniques such as multiple stages of DLL side-loading and DNS tunneling for command-and-control (C2) communication as a means to evade endpoint and network security solutions, respectively,” the researchers explained.
“In addition, the backdoor uses evasive techniques like anti-dumping to prevent memory analysis and hinder forensics security solutions.”
So far, the researchers don’t know who the attackers are, or what their motives for the campaign might be. A backdoor has numerous use cases, from data theft and espionage, to unauthorized access, setting up persistence, and even remote control.