The clever tactics of scammers mislead even experienced professionals.
On April 17, Zscaler revealed a malicious software distribution campaign targeting IT professionals. This campaign uses deceptive advertising of popular network utilities to introduce a new backdoor called MadMxShell.
The campaign began in March of this year, when attackers registered domains very similar to the official sites of well-known IP address scanning and network administration software. Among the imitated names were such well-known programs as Advanced IP Scanner and Angry IP Scanner. This method, known as "Typosquatting", increases the likelihood that IT professionals will mistakenly click on a malicious link.
When you click on such an ad, the user gets to a page disguised as the developer's official website, where they are offered to download a file containing the MadMxShell backdoor.
MadMxShell uses a complex multi-step process for its deployment, which avoids detection by standard security tools. Initial loading occurs through the DLL Sideloading technique, in which a legitimate program loads a malicious DLL. And it, in turn, loads additional components that establish communication with the attackers ' management server.
One of the most troubling aspects of MadMxShell is the use of DNS MX queries to communicate with the management server. This technique uses the standard DNS protocol in a non-standard way, which makes it harder to track malicious activity. In addition, MadMxShell uses techniques to counter memory analysis, which makes it difficult for security specialists to study its mechanisms of operation.
Jason Soroko, senior vice president of products at Sectigo, points out that defenders rarely have to look for malicious management communications in the DNS traffic of email exchanges, which gives attackers an opportunity to hide.
Soroko also noted that attackers use a technique that blocks memory unloading for analysis, which complicates the work of endpoint protection tools.
To minimize risks, you should be careful with unauthorized advertising, enable pop-up blockers, maintain reliable security software, and train employees to be aware of the dangers associated with malicious advertising and social engineering.
On April 17, Zscaler revealed a malicious software distribution campaign targeting IT professionals. This campaign uses deceptive advertising of popular network utilities to introduce a new backdoor called MadMxShell.
The campaign began in March of this year, when attackers registered domains very similar to the official sites of well-known IP address scanning and network administration software. Among the imitated names were such well-known programs as Advanced IP Scanner and Angry IP Scanner. This method, known as "Typosquatting", increases the likelihood that IT professionals will mistakenly click on a malicious link.
When you click on such an ad, the user gets to a page disguised as the developer's official website, where they are offered to download a file containing the MadMxShell backdoor.
MadMxShell uses a complex multi-step process for its deployment, which avoids detection by standard security tools. Initial loading occurs through the DLL Sideloading technique, in which a legitimate program loads a malicious DLL. And it, in turn, loads additional components that establish communication with the attackers ' management server.
One of the most troubling aspects of MadMxShell is the use of DNS MX queries to communicate with the management server. This technique uses the standard DNS protocol in a non-standard way, which makes it harder to track malicious activity. In addition, MadMxShell uses techniques to counter memory analysis, which makes it difficult for security specialists to study its mechanisms of operation.
Jason Soroko, senior vice president of products at Sectigo, points out that defenders rarely have to look for malicious management communications in the DNS traffic of email exchanges, which gives attackers an opportunity to hide.
Soroko also noted that attackers use a technique that blocks memory unloading for analysis, which complicates the work of endpoint protection tools.
To minimize risks, you should be careful with unauthorized advertising, enable pop-up blockers, maintain reliable security software, and train employees to be aware of the dangers associated with malicious advertising and social engineering.
