Malvertising campaign targeting IT teams with MadMxShell

Zscaler observed a malvertising campaign that used typosquatting domains and Google Ads to distribute a multi-stage backdoor named MadMxShell, targeting IT security and network administration professionals. The payload uses DLL sideloading, process hollowing, heavy obfuscation, and a DNS MX‑based C2 channel (litterbolo[.]com) with custom encoding and short 3‑second intervals. #MadMxShell #litterbolo #AdvancedIPScanner

Keypoints

Threat actor registered numerous typosquatting domains impersonating IP/port scanner and IT management tools to host malicious payloads.
Google Ads were abused (malvertising) to surface attacker-controlled look‑alike sites in search results for targeted keywords.
Delivery used a trojanized ZIP containing a legitimate-signed EXE (renamed oleview.exe) and a large malicious DLL (IVIEWERS.dll) padded to evade scanners.
Multi-stage execution: DLL sideloading -> shellcode extraction -> XOR/zlib decoding -> process hollowing to launch the dropper and subsequent stages.
Final backdoor (MadMxShell) uses DNS MX queries/responses for C2 (litterbolo[.]com) with a custom 36‑character encoding and short 3s heartbeat intervals.
Backdoor supports system info collection, shell command execution (cmd.exe), and file operations; functions are decoded/ re‑encoded at runtime to hinder analysis.
Persistence via a scheduled task masquerading as a OneDrive update and attempts to disable Windows Defender; Zscaler provides detections and IOCs.

MITRE Techniques

[T1583.001] Acquire Infrastructure: Domains – Registered typosquatting domains impersonating IP scanners (‘registered multiple look-alike domains spoofing popular port scanning software’).
[T1583.008] Acquire Infrastructure: Malvertising – Used Google Ads to push malicious sites to top of search results (‘leveraged Google Ads to push these domains to the top of search engine results’).
[T1204.002] User Execution: Malicious File – Execution begins when victims run the fake scanner EXE (‘the attack chain is started by the user when they execute the fake Advanced-ip-scanner.exe’).
[T1574.002] Hijack Execution Flow: DLL Side‑Loading – Two stages of DLL sideloading are used to execute payloads (‘sideloads IVIEWERS.dll … OneDrive.exe is abused to sideload Secur32.dll’).
[T1055.012] Process Injection: Process Hollowing – Injected EXE is run via process hollowing (‘injects it into a new Advanced-ip-scanner.exe process via process hollowing’).
[T1027.001] Obfuscated Files or Information: Binary Padding – Large overlay padding added to IVIEWERS.dll to evade scanning (‘IVIEWERS.dll is padded with an unused overlay of 10 MB’).
[T1027.009] Obfuscated Files or Information: Embedded Payloads – Next-stage payloads embedded XOR‑encoded in resources (‘extracts and decodes an executable file … from resource AT21’).
[T1027.007] Obfuscated Files or Information: Dynamic API Resolution – Runtime API resolution and ROR13 hashing used across stages (‘Multiple stages use ROR13 API hashing based on the uppercase names of the APIs’).
[T1562.001] Impair Defenses: Disable or Modify Tools – Attempts to disable Windows Defender via registry change (‘attempts to disable Windows Defender by setting … DisableAntiSpyware to 1’).
[T1053.005] Scheduled Task/Job: Scheduled Task – Creates a “OneDrive Update” scheduled task for persistence (‘configures a scheduled task named “OneDrive Update” that executes … OneDrive.exe when the current user logs on’).
[T1036.004] Masquerading: Masquerade Task or Service – Persistence masquerades as a legitimate OneDrive update (‘The scheduled task masquerades as a OneDrive update to execute OneDrive.exe’).
[T1071.004] Application Layer Protocol: DNS – C2 over DNS using MX queries/responses (‘uses DNS MX queries for C2 communication’).
[T1132.002] Data Encoding: Non‑Standard Encoding – Custom 36‑character lookup and paired‑char encoding used in DNS subdomains (‘Each byte … converted into a pair of alphanumeric characters using a custom encoding scheme involving a hardcoded 36-character lookup table’).
[T1572] Protocol Tunneling – Encodes data inside DNS MX records to tunnel C2 traffic (‘encodes the data in the subdomain(s) of the FQDN in a DNS MX query packet’).
[T1041] Exfiltration Over C2 Channel – Collected data and command results are sent back over the DNS C2 channel (‘After completing the commands … the malware sends the results to the C2 server’).
[T1082] System Information Discovery – Backdoor collects system details for reconnaissance (‘collects system information like … computer name, user name, ethernet IP addresses’).
[T1083] File and Directory Discovery – Supports file/directory listing and file read/write/delete via C2 commands (‘List files and directories … Read from file … Write or append content to file’).

Indicators of Compromise

[SHA256 Hash] Delivered ZIP and stage artifacts – 7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015 (Advanced-ip-scanner.zip), 0263663c5375289f… (Advanced-ip-scanner.exe), and 7 more hashes.
[Filenames] Malicious binaries and DLLs – Advanced-ip-scanner.exe (renamed oleview.exe), IVIEWERS.dll (malicious stage DLL), OneDrive.exe (dropper), Secur32.dll (malicious sideloaded DLL).
[Domains] Distribution and phishing sites – advansed-ip-scanner[.]net, advanced-ip-scanz[.]net, ipscannerprtg[.]com, angryipscan[.]net, and ~40 other typosquatting domains listed in the campaign.
[C2 Domain] Command-and-control – litterbolo[.]com used for DNS MX C2 communication.
[Google Ads] Malvertising redirect links – example ad click URL: www.googleadservices[.]com/pagead/aclk?… (redirected to ipscannerprtg[.]com), and other March 2024 ad links targeting prtgscan[.]com / keystore-explore[.]com.

The attack chain begins with Google Ads driving victims to typosquatted look‑alike sites that serve a trojanized ZIP file; the website JavaScript was altered to redirect download requests to a malicious ZIP. The ZIP contains a renamed legitimate EXE and a large malicious DLL (IVIEWERS.dll). Running the EXE triggers DLL sideloading: IVIEWERS.dll unpacks heavily obfuscated shellcode from its resources, XOR‑decodes an embedded executable (resource AT21) with the long XOR key, and injects it into a new Advanced‑ip‑scanner.exe via process hollowing.

The injected dropper decodes a zlib‑compressed resource (resource ID 202) using an 8‑byte XOR key (F2 09 CD 2D 85 CD 1D A3), writes OneDrive.exe and Secur32.dll to %LOCALAPPDATA%MicrosoftOneDriveUpdate, deletes the initial stage, and launches OneDrive.exe. OneDrive.exe is abused to sideload Secur32.dll, which decodes embedded stage‑4 shellcode (icon resource 202); the loader derives an XOR key based on the process filename (onedrive) to prevent decoding unless sideloaded correctly. The launcher sets a “OneDrive Update” scheduled task for persistence and attempts to disable Defender via HKLM policies.

The final stage is the MadMxShell backdoor: code and functions are decoded on demand with the 8‑byte XOR key and immediately re‑encoded to avoid a fully decoded memory image. It generates session and victim IDs, then communicates with litterbolo[.]com over DNS MX queries/responses using a custom 36‑character lookup encoding that maps bytes into paired alphanumeric characters and splits payloads into 60‑char subdomain blocks. Each DNS packet carries up to ~103 bytes (FQDN length limits), so larger messages are fragmented and acknowledged; the malware uses short 3‑second intervals and supports registration, heartbeat, command acknowledgement, system info, shell command execution (via cmd.exe), and file operations, with observed operator activity delayed up to 60–90 minutes as an anti‑analysis trait.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print