Cybercriminals are exploiting a previously unseen backdoor to substitute ‘malvertizing’, weaponized bogus ads to push them to the top of Google searches. The attacks are particularly dangerous to corporations of all sizes, as they are aimed squarely at in-house IT professionals, who invariably hold the keys to the organization’s digital kingdom
The unknown threat actor(s) ‘ selection of spoofed software evidences that cybercriminals’ targets primarily consist of IT professionals, particularly those in IT security and network administration roles, according to research from Zscaler ThreatLabz.
“Beginning in March of 2024, Zscaler ThreatLabz observed a threat actor weaponizing a cluster of domains masquerading as legitimate IP scanner software sites to distribute a previously unseen backdoor. The threat actor registered multiple look-alike domains…and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords,” says Zscaler ThreatLabz.
The unknown cybercriminals, whom the researchers have named ‘MadMxShell’, abused Google Ads to conduct a ‘malvertising ‘campaign in order to push their malicious sites to the top of search results. According to Zscaler ThreatLabz: “The newly discovered backdoor uses several techniques such as multiple stages of DLL sideloading, abusing the DNS protocol for communicating with the command-and-control (C2) server, and evading memory forensics security solutions.”
Attacks primarily target IT professionals
‘Malvertizing’ is not new. But this new backdoor being used to exploit Google Ads is now very much at the vanguard of a new and only recently observed trend. The selection of spoofed software by ‘MadMxShell’ suggests that the cybercriminals’ primary target is IT professionals. This aligns with advanced persistent threat (APT) groups, such as NOBELIUM, who are also known to craft attacks targeting these categories.
“With their privileged access to internal systems and networks, IT security and network management teams are attractive targets for both APT groups and initial access brokers (IABs) that sell access to compromised networks,” says Zscaler ThreatLabz.
According to Kaspersky, BlackBerry, and Huntress, cybercriminals have previously used Google to distribute weaponized versions of a specific port scanning tool called Advanced IP Scanner. But the malware delivered by “MadMxShell” is new, and the range of spoofed software has been expanded well beyond Advanced IP Scanner.
“The modus operandi of the threat actor includes registering multiple look-alike domains spoofing popular port scanning software and pushing them to the top of Google search results by running Google Ads campaigns. This technique is widely known as malvertising,” says Zscaler ThreatLabz.
