Table of Contents
  • Home
  • /
  • Blog
  • /
  • MadMxShell - A New Backdoor Targeting IT Security & Network Administrators
April 19, 2024

MadMxShell - A New Backdoor Targeting IT Security & Network Administrators

MadMxShell - A New Backdoor Targeting IT Security & Network Administrators

In the ever-evolving landscape of cybersecurity, attackers are constantly seeking out new attack vectors to deliver malware and compromise their targets. One of the latest trends observed by security researchers is the exploitation of Google Ads to spread infections, taking advantage of the platform's vast reach and the trust users place in the search engine giant.

In this blog post, we will get you into a recent malware campaign identified by the Zscaler ThreatLabz team, where an unidentified threat actor has been weaponizing a cluster of domains masquerading as legitimate IP scanner software sites. The primary objective of this campaign is to trick IT teams, particularly those in IT security and network administration roles, into downloading a previously unseen backdoor named MadMxShell.

Our goal in publishing this post is to raise awareness among IT professionals and educate them on the importance of exercising caution when downloading software from the internet. In the following sections, we will provide you with essential information about the MadMxShell backdoor, its capabilities, how the attackers abused Google Ads to spread the malware, and most importantly, the steps you can take to protect your organization from falling victim to such attacks.

What You Should Know About MadMxShell

The Zscaler ThreatLabz team has been at the forefront of investigating the MadMxShell backdoor, shedding light on its sophisticated anti-evasion techniques and the reasons behind its peculiar name. The team's proactive approach to threat hunting allowed them to detect this malware in the early stages, enabling them to promptly analyze its behavior and share their findings with the cybersecurity community.

The researchers first caught wind of the MadMxShell backdoor while monitoring suspicious activity related to typosquatted domains masquerading as legitimate IP scanner software sites. initially, the results of WhoIs made them suspect this malware. Then Reverse WhoIs by Email, the team found more alike domains registered between November 2023 to March 2024. Further finding the hosting of the domains, the team got that this is not a legit service. By closely examining the network traffic and the files being distributed through these domains, the team was able to identify the presence of a previously unknown malware payload.

As they delved deeper into the analysis of this new threat, the Zscaler ThreatLabz team discovered several notable characteristics that led them to name the backdoor "MadMxShell." This name derives from the malware's use of DNS MX queries for its command-and-control (C2) communication, as well as its remarkably short interval between C2 requests, which sets it apart from other backdoors.

One of the most striking features of MadMxShell is its incorporation of multiple anti-evasion techniques designed to bypass endpoint and network security solutions. The backdoor employs a multi-stage infection process, leveraging DLL side-loading and process hollowing to inject its malicious payload into legitimate system processes. Additionally, MadMxShell utilizes DNS tunneling for its C2 communication, effectively hiding its traffic within seemingly benign DNS queries and responses.

Furthermore, the Zscaler ThreatLabz team discovered that MadMxShell employs advanced obfuscation techniques, such as dynamic API resolution and the use of stack strings, to hinder analysis and evade detection by security solutions. These findings underscore the level of sophistication employed by the threat actors behind this malware campaign, highlighting the importance of staying vigilant and adopting a proactive approach to cybersecurity.

Note: Zscaler covered campaign details, threat actor's infrastructure, and a detailed technical analysis of the backdoor in their publish. We recommend not to skip the complete details for further analysis.

How Attackers Abused Google Ads to Infect the MadMxShell Backdoor?

The attack chain employed by the threat actors behind the MadMxShell backdoor is a multi-stage process that begins with a malvertising campaign abusing Google Ads. By leveraging the popularity and trust associated with Google's advertising platform, the attackers were able to reach a wide audience and maximize the chances of successful infections.

Here's a step-by-step breakdown of the attack chain, as illustrated in the image below:

  1. The threat actor begins by registering multiple look-alike domains using a typosquatting technique, creating convincing imitations of legitimate IP scanner software sites.

  2. These malicious domains are then promoted through Google Ads, targeting specific search keywords related to IP scanners and network administration tools. By bidding on these keywords, the attackers ensure that their ads appear at the top of the search results when users search for the targeted software.

  3. When a user clicks on one of the malicious Google Ads, they are redirected to a look-alike site that closely resembles the legitimate software's website. This tactic aims to deceive the user into believing they are downloading the genuine software.

  4. Upon clicking the download button on the fake website, the user unwittingly downloads a malicious ZIP archive named (SHA256: 7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015). This archive contains two files:

  • Advanced-ip-scanner.exe: A renamed copy of the legitimate Microsoft executable oleview.exe (SHA256: 0263663c5375289fa2550d0cff3553dfc160a767e718a9c38efc0da3d7a4b626).

  • IVIEWERS.dll: A malicious DLL (SHA256: 722a44f6a4718d853d640381e77d1b9815d6f1663603859ff758ded896860cba).

5. When the user executes Advanced-ip-scanner.exe, it triggers a series of DLL side-loading and process injection techniques. These techniques ultimately lead to the execution of the MadMxShell backdoor, which is injected into a legitimate system process to evade detection.

6. The injected executable extracts and decodes an additional executable file (SHA256: 6de01c65c994e0e428f5043cb496c8adca96ba18dfd2953335d1f3c9b97c60c5) from the resource section of IVIEWERS.dll. This decoded executable then drops two files in the %LOCALAPPDATA%\Microsoft\OneDrive\Update directory:

  • OneDrive.exe: A legitimate signed Microsoft executable (SHA256: 9bba4c707de5a66d8c47e3e18e575d43ba8011302dad452230c4b9d6b314ee26).

  • Secur32.dll: Another malicious DLL (SHA256: 287a0a80a995f1e62b317cf5faa1db94af6ee9132b0f8483afbd6819aa903d31).

7. OneDrive.exe is abused to sideload Secur32.dll, which contains the stage 4 shellcode backdoor (SHA256: 105e9a8d1014d2939e6b0ada3f24ad4bb6bd21f0155c284c90c7675a1de9d193) encoded within its icon resource (ID 202).

8. The MadMxShell backdoor establishes communication with the attacker's command-and-control (C2) server (litterbolo[.]com) using DNS MX queries. This allows the attacker to issue commands, collect system information, and exfiltrate sensitive data from the compromised machine.

How You Should be Protected from Such Attacks?

To protect your organization from falling victim to attacks like the one involving the MadMxShell backdoor, implement a comprehensive, multi-layered security strategy:

  1. Establish and enforce strict download policies:

  • Define acceptable sources for downloading software

  • Implement procedures for verifying the legitimacy of downloaded files

  • Restrict downloads to only trusted and verified sources

2. Implement execution policies to control application and script execution:

3. Strengthen network security with advanced solutions:

4. Implement access control policies based on the principle of least privilege:

  • Grant employees only the permissions they need to perform their job functions

  • Regularly review and update permissions to ensure they remain appropriate

  • Minimize the number of users with administrative or elevated privileges

  • Limit the potential impact of a successful attack by restricting access to critical systems and data

5. Conduct regular phishing simulations and user education programs:

  • Train employees to recognize and report suspicious emails, links, and attachments

  • Foster a culture of cybersecurity awareness within the organization

  • Create an additional layer of defense against malware infections and other cyber threats

6. Continuously monitor, assess, and adapt defenses:

  • Regularly update and patch systems, applications, and security solutions

  • Conduct periodic vulnerability assessments and penetration testing

  • Stay informed about the latest threats and attack techniques

  • Adapt security strategies and controls to keep pace with the evolving threat landscape

By implementing these technical controls, policies, and educational initiatives, organizations can significantly reduce the risk of falling victim to attacks like the one involving the MadMxShell backdoor. However, cybersecurity is an ongoing process that requires constant vigilance and adaptation to remain effective against the ever-changing threat landscape.

Bottom Line

The emergence of the MadMxShell backdoor and its sophisticated attack chain underscore the ever-evolving nature of cyber threats. As attackers continue to exploit new vectors, such as malvertising campaigns abusing Google Ads, organizations must remain vigilant and proactive in their cybersecurity approach. Adopting a multi-layered, defense-in-depth strategy encompassing technical controls, security policies, and user education is crucial. However, cybersecurity is an ongoing process requiring continuous monitoring, assessment, and adaptation. By prioritizing a comprehensive approach to defending against threats like MadMxShell, organizations can significantly reduce their risk of falling victim to costly and damaging cyber attacks.

We hope this post helps you know about MadMxShell, a new backdoor targeting IT Security & Network Administrators, and how to protect the infrastructure by implementing some security controls. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, and our social media page

on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added


View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription