Keypoints
- Threat actors hosted a convincing clone of the Advanced IP Scanner site (advanced[.]ip-scanner[.]co) and distributed it via malvertising (Google Ads).
- The malicious site redirected visitors to the legitimate site unless the request appeared to originate from a Google ad click (Referer header filtering).
- Using browser developer tools, the author inspected request headers from an ad click to identify the Referer behavior and replicated it in Postman.
- By setting the Referer to https://www.google.com/ in Postman, the author retrieved the malicious HTML and discovered an open /download directory containing ipscanner.txt.
- ipscanner.txt contained Base64-encoded data which decoded to an executable; the author decoded it via CyberChef and also downloaded and decoded it on a VM using certutil.
- The decoded executable’s SHA256 matched the hash from the original alert, confirming the malicious sample; apps2co.php served the decoded executable directly.
- The write-up illustrates investigative steps to obtain and verify a malicious payload when the attacker uses redirect/referrer checks to hide content.
MITRE Techniques
- [T1189] Drive-by Compromise – Malicious content was distributed via online advertising; the article notes ‘malvertising (e.g., “malicious advertising” like Google Ads).’
- [T1204] User Execution – The attack relied on a user clicking an ad and downloading a trojanized utility: ’employee downloading a malicious version of Advanced IP Scanner.’
- [T1105] Ingress Tool Transfer – The malicious executable was hosted and retrieved from the attacker-controlled site and served via download endpoints: ‘If we click the apps2co.php link on this page, it serves up the decoded .exe.’
- [T1027] Obfuscated Files or Information – The payload was embedded as Base64 to hide the executable: ‘that looks like Base64 encoding.’
- [T1071.001] Application Layer Protocol: Web Protocols – The actor used HTTP Referer checks to gate content; the researcher ‘append[ed] a Referer header with the value https://www.google.com/’.
Indicators of Compromise
- [Domain] Malicious/clone domain – advanced[.]ip-scanner[.]co (malicious clone), advanced-ip-scanner.com (legitimate site seen in redirects)
- [URL/Path] Download directory and endpoints – advanced-ip-scanner[.]com/download/, and endpoint apps2co.php
- [File name] Hosted files – ipscanner.txt (Base64 payload), dl.php / dwnl.php (download logic)
- [Command/Tool] Decoding technique observed – certutil -decode raw.txt decoded.exe; CyberChef “From Base64” used to decode
- [Hash] SHA256 (matched to alert) – SHA256 hash mentioned as matching the alert (value not published in article)
The technical procedure began with inspecting a suspected malicious site that redirected to the legitimate Advanced IP Scanner homepage unless the request appeared to come from a Google ad. Using the browser developer tools (F12) and the network tab, the author examined the request headers produced by an ad click to identify the Referer behavior, then replicated that request in Postman by adding a Referer: https://www.google.com/ header to the GET request, which returned the malicious HTML clone instead of the legitimate page.
From the returned HTML the author searched for download references, found an open /download directory, and discovered ipscanner.txt containing what appeared to be Base64-encoded data. The file’s contents were decoded with CyberChef (“From Base64”) to reveal an executable—verified by the presence of the string “This program cannot be run in DOS mode.”—and alternatively the raw Base64 was saved to raw.txt on a VM and decoded with certutil -decode raw.txt decoded.exe to produce the same .exe file.
The author validated the sample by computing a SHA256 hash (Get-FileHash) and confirming it matched the hash from the original alert, and noted that apps2co.php served the decoded executable directly. These steps—header inspection and manipulation, locating an open directory, Base64 decoding, and hash verification—provide a reproducible flow for safely retrieving and confirming a web-hosted malicious payload for analysis.