A Google malvertising campaign has emerged, utilizing deceptive domains to distribute a previously unknown Windows backdoor named MadMxShell. This sophisticated operation involves registering numerous look-alike domains and leveraging Google Ads to target specific search keywords, leading unsuspecting users to download malicious files masquerading as legitimate IP scanner software. The backdoor employs advanced techniques such as DNS tunneling for command-and-control communication, evading traditional security measures and highlighting the complexity of modern cyber threats.
Over 45 domains were registered between November 2023 and March 2024, mimicking well-known IP scanning and IT management tools like Advanced IP Scanner and ManageEngine. Upon clicking the download button on these bogus sites, users unwittingly trigger the download of malicious files, including an executable and DLL files. The backdoor, once installed, establishes persistence on the host system and disables Microsoft Defender Antivirus, further illustrating the depth of the attackers’ tactics.
The malware operators’ origins and intentions remain unclear, though Zscaler identified accounts associated with them on criminal underground forums. These forums showcase the threat actors’ interest in long-lasting malvertising campaigns, indicating a sophisticated and strategic approach to cybercrime. The utilization of Google Ads threshold accounts, traded on blackhat forums, underscores the adaptability and persistence of cybercriminals in evading detection and maximizing the impact of their campaigns.
