Threat actors continue to refine malvertising campaigns with cloaking and fingerprinting to stay under defenders’ radars while delivering infostealers and other malware used by initial access brokers in ransomware operations. The article documents a recent malvertising chain targeting remote access tools like Advanced IP Scanner, featuring server-side IP checks, Base64-encoded JavaScript fingerprinting, and data exfiltration to decide when to drop the payload.
#Advanced_IP_Scanner #advnced_lp_scanner
#Advanced_IP_Scanner #advnced_lp_scanner
Keypoints
- Malvertising campaigns are employing advanced cloaking and fingerprinting to avoid detection and maintain online presence.
- Ads on popular search engines (e.g., Google) promote tools like Advanced IP Scanner and redirect to malicious infrastructure.
- The malicious domain advnced-lp-scanner[.]com hosts the landing page and is hosted from a Russia-based server (185.11.61[.]65).
- Threat actors perform server-side IP checks to determine if visitors use VPNs/proxies or have previously visited, delaying revealing the malicious payload.
- Client-side fingerp rinting uses Base64-encoded JavaScript to collect environment data (browser properties, time zone, rendering capabilities, MIME types) before delivering the payload.
- Collected data is posted back to the attacker via a POST request to guide next steps, culminating in a malware payload delivery.
MITRE Techniques
- [T1189] Drive-by Compromise – Malvertising chain leading to malware payload delivered via malicious ad; example: “The ad below is for the Advanced IP scanner tool and was found when performing a Google search from a US IP address.”
- [T1027] Obfuscated/Compressed Files and Information – Base64-encoded JavaScript loaded before anything else on the page; “Base64 encoded JavaScript that is loaded before anything else on the page.”
- [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks like the WEBGL_debug_renderer_info API to detect virtualization environments; “WEBGL_debug_renderer_info API can help to detect if you are using virtualization such as VMware or VirtualBox.”
- [T1041] Exfiltration Over C2 Channel – Victim data is posted to the attacker’s site for processing; “The data that is collected from visitors is then sent back to the attacker’s website via a POST request.”
Indicators of Compromise
- [Domain] Malicious landing domain – advnced-lp-scanner[.]com
- [IP Address] Malicious hosting server – 185.11.61[.]65 (Russia)