MadMxShell - A New Backdoor Targeting IT Security & Network Administrators

In the ever-evolving landscape of cybersecurity, attackers are constantly seeking out new attack vectors to deliver malware and compromise their targets. One of the latest trends observed by security researchers is the exploitation of Google Ads to spread infections, taking advantage of the platform's vast reach and the trust users place in the search engine giant.

In this blog post, we will get you into a recent malware campaign identified by the Zscaler ThreatLabz team, where an unidentified threat actor has been weaponizing a cluster of domains masquerading as legitimate IP scanner software sites. The primary objective of this campaign is to trick IT teams, particularly those in IT security and network administration roles, into downloading a previously unseen backdoor named MadMxShell.

Our goal in publishing this post is to raise awareness among IT professionals and educate them on the importance of exercising caution when downloading software from the internet. In the following sections, we will provide you with essential information about the MadMxShell backdoor, its capabilities, how the attackers abused Google Ads to spread the malware, and most importantly, the steps you can take to protect your organization from falling victim to such attacks.

What You Should Know About MadMxShell

The Zscaler ThreatLabz team has been at the forefront of investigating the MadMxShell backdoor, shedding light on its sophisticated anti-evasion techniques and the reasons behind its peculiar name. The team's proactive approach to threat hunting allowed them to detect this malware in the early stages, enabling them to promptly analyze its behavior and share their findings with the cybersecurity community.

The researchers first caught wind of the MadMxShell backdoor while monitoring suspicious activity related to typosquatted domains masquerading as legitimate IP scanner software sites. initially, the results of WhoIs made them suspect this malware. Then Reverse WhoIs by Email, the team found more alike domains registered between November 2023 to March 2024. Further finding the hosting of the domains, the team got that this is not a legit service. By closely examining the network traffic and the files being distributed through these domains, the team was able to identify the presence of a previously unknown malware payload.

As they delved deeper into the analysis of this new threat, the Zscaler ThreatLabz team discovered several notable characteristics that led them to name the backdoor "MadMxShell." This name derives from the malware's use of DNS MX queries for its command-and-control (C2) communication, as well as its remarkably short interval between C2 requests, which sets it apart from other backdoors.

One of the most striking features of MadMxShell is its incorporation of multiple anti-evasion techniques designed to bypass endpoint and network security solutions. The backdoor employs a multi-stage infection process, leveraging DLL side-loading and process hollowing to inject its malicious payload into legitimate system processes. Additionally, MadMxShell utilizes DNS tunneling for its C2 communication, effectively hiding its traffic within seemingly benign DNS queries and responses.

Furthermore, the Zscaler ThreatLabz team discovered that MadMxShell employs advanced obfuscation techniques, such as dynamic API resolution and the use of stack strings, to hinder analysis and evade detection by security solutions. These findings underscore the level of sophistication employed by the threat actors behind this malware campaign, highlighting the importance of staying vigilant and adopting a proactive approach to cybersecurity.

Note: Zscaler covered campaign details, threat actor's infrastructure, and a detailed technical analysis of the backdoor in their publish. We recommend not to skip the complete details for further analysis.

How Attackers Abused Google Ads to Infect the MadMxShell Backdoor?

The attack chain employed by the threat actors behind the MadMxShell backdoor is a multi-stage process that begins with a malvertising campaign abusing Google Ads. By leveraging the popularity and trust associated with Google's advertising platform, the attackers were able to reach a wide audience and maximize the chances of successful infections.

Here's a step-by-step breakdown of the attack chain, as illustrated in the image below:

5. When the user executes Advanced-ip-scanner.exe, it triggers a series of DLL side-loading and process injection techniques. These techniques ultimately lead to the execution of the MadMxShell backdoor, which is injected into a legitimate system process to evade detection.

6. The injected executable extracts and decodes an additional executable file (SHA256: 6de01c65c994e0e428f5043cb496c8adca96ba18dfd2953335d1f3c9b97c60c5) from the resource section of IVIEWERS.dll. This decoded executable then drops two files in the %LOCALAPPDATA%\Microsoft\OneDrive\Update directory:

7. OneDrive.exe is abused to sideload Secur32.dll, which contains the stage 4 shellcode backdoor (SHA256: 105e9a8d1014d2939e6b0ada3f24ad4bb6bd21f0155c284c90c7675a1de9d193) encoded within its icon resource (ID 202).

8. The MadMxShell backdoor establishes communication with the attacker's command-and-control (C2) server (litterbolo[.]com) using DNS MX queries. This allows the attacker to issue commands, collect system information, and exfiltrate sensitive data from the compromised machine.

How You Should be Protected from Such Attacks?

To protect your organization from falling victim to attacks like the one involving the MadMxShell backdoor, implement a comprehensive, multi-layered security strategy:

2. Implement execution policies to control application and script execution:

3. Strengthen network security with advanced solutions:

4. Implement access control policies based on the principle of least privilege:

5. Conduct regular phishing simulations and user education programs:

6. Continuously monitor, assess, and adapt defenses:

By implementing these technical controls, policies, and educational initiatives, organizations can significantly reduce the risk of falling victim to attacks like the one involving the MadMxShell backdoor. However, cybersecurity is an ongoing process that requires constant vigilance and adaptation to remain effective against the ever-changing threat landscape.

Bottom Line

The emergence of the MadMxShell backdoor and its sophisticated attack chain underscore the ever-evolving nature of cyber threats. As attackers continue to exploit new vectors, such as malvertising campaigns abusing Google Ads, organizations must remain vigilant and proactive in their cybersecurity approach. Adopting a multi-layered, defense-in-depth strategy encompassing technical controls, security policies, and user education is crucial. However, cybersecurity is an ongoing process requiring continuous monitoring, assessment, and adaptation. By prioritizing a comprehensive approach to defending against threats like MadMxShell, organizations can significantly reduce their risk of falling victim to costly and damaging cyber attacks.

We hope this post helps you know about MadMxShell, a new backdoor targeting IT Security & Network Administrators, and how to protect the infrastructure by implementing some security controls. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website thesecmaster.com, and our social media page

on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.