Trustwave SpiderLabs uncovered a maliciously modified Advanced IP Scanner installer that side-loads a pcre.dll to drop a Cobalt Strike beacon and uses process hollowing to run it. Attackers rely on typo-squatting and SEO-based redirection to lure victims to a fake site and download the compromised installer, which is signed with a stolen certificate and connects back to C2 servers nanopeb.com and coldfusioncnc.com. #CobaltStrike #Advanced_IP_Scanner
Keypoints
- Watering-hole / typo-squatting campaign redirects users toward a malicious domain to obtain the compromised Advanced IP Scanner installer.
- The legitimate Advanced IP Scanner setup is replaced with a poisoned package that includes a backdoored pcre.dll module.
- The malicious pcre.dll is used to load and execute a Cobalt Strike beacon via side-loading and process manipulation.
- The malicious installer is digitally signed with a stolen certificate to appear legitimate.
- The Cobalt Strike beacon is configured to communicate over HTTPS to C2 servers at nanopeb.com and coldfusioncnc.com.
- Attack techniques include DLL side-loading, process hollowing, and HTTP(S)-based beacon communication, illustrating a multi-stage compromise.
MITRE Techniques
- [T1574.002] Hijack Execution Flow – DLL Side Loading – The signed setup file contains a malicious pcre.dll that is loaded by the main program to inject a Cobalt Strike beacon into a newly created parent process. ‘The signed setup file Advanced_IP_Scanner_2.5.4594.1.exe … contains a DLL named pcre.dll … in this compromised version, it is side-loaded to inject a CobaltStrike beacon into a newly created parent process.’
- [T1055.012] Process Hollowing – The beacon is injected into a newly created process of the main program using the process hollowing technique. ‘then, the program calls the “pcre_exec” module, which contains code to decrypt the CobaltStrike beacon. Finally, it creates a new process for Advanced IP Scanner and injects the decrypted CobaltStrike beacon into this new process using the process hollowing technique.’
- [T1553.002] Code Signing – The malicious installer is digitally signed using a stolen certificate. ‘The malicious installer is digitally signed using a stolen certificate’
- [T1071.001] Web Protocols: HTTPS – The beacon config shows HTTPS as the beacon type and uses port 443 to reach C2 servers (nanopeb.com and coldfusioncnc.com). ‘BeaconType HTTPS’ and ‘Port 443’ and ‘C2 servers at nanopeb.com, coldfusioncnc.com’
- [T1189] Drive-by Compromise – Watering hole and typo-squatting used to drive downloads from a fake site to deliver the malicious setup package. ‘ watering hole attack’ and ‘typo-squatted domain’ are mentioned as methods to surface the malicious domain.
Indicators of Compromise
- [Domain] C2 and related domains – nanopeb.com, coldfusioncnc.com, and 4 more typo-squatted domains
- [URI] Paths used in HTTP requests – /sub/access/PQODJO5X45JC, /inquiry/webcart/NPDTA4HJGYF2
- [Hash] Backdoored Advanced_IP_Scanner_2.5.4594.1.exe – MD5: 723227f3a71001fb9c0cd28ff52b2636, SHA256: fef06c28ae5a65672c31076b062e33cfaeb2b90309444f6567877f22997bc711
- [Hash] Malicious pcre.dll – MD5: 21cdd0a64e8ac9ed58de9b88986c8983, SHA256: 9a0c600669772bc530fe07c2dbb23dbb4808c640d016ffb832460ed25d2bb49e
- [Hash] CobaltStrike beacon shellcode – MD5: 50792f2cbef2f35ca4fa843fed7ce84ee3a0339e, SHA256: 248f3df68651214cfc1645792f685f8ac15db8f86978cfd3b181d618ccf03bc4
- [Domain] Typosquatted domains active for delivery – adlvanced-ip-scanner.com, advanced-ip-scanner.link, advnaced-ip-skanner.top, advanced-ip.org