"'MadMxShell' Leverages Google Ads to Deploy Malware via Windows Backdoor"

A threat actor has been using a cluster of domains posing as legitimate IP scanner software sites to distribute malware through a Windows backdoor dubbed "MadMxShell." According to Zscaler ThreatLabz, the threat actor registered multiple look-alike domains using a typosquatting technique. Then they used Google Ads to push the fraudulent domains to the top of search engine results for specific search keywords, luring potential victims to these IP scanner websites. The newly discovered backdoor applies various methods, including multiple stages of Windows Dynamic-Link Library (DLL) sideloading, exploiting the Domain Name System (DNS) protocol to communicate with the Command-and-Control (C2) server, and more. Zscaler named this backdoor MadMxShell because it uses DNS MX queries for C2 communication and has very short intervals between C2 requests. This article continues to discuss findings and observations regarding the MadMxShell backdoor. 

SC Magazine reports "'MadMxShell' Leverages Google Ads to Deploy Malware via Windows Backdoor"

Submitted by grigby1

Submitted by Gregory Rigby on