{"id":7676,"date":"2024-04-23T07:54:49","date_gmt":"2024-04-23T07:54:49","guid":{"rendered":"\/cybersecurity-blog\/?p=7676"},"modified":"2024-04-25T13:17:09","modified_gmt":"2024-04-25T13:17:09","slug":"attackers-exploit-google-ads","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/","title":{"rendered":"Cybercriminals Exploit Google Ads to Spread IP Scanner with Concealed Backdoor"},"content":{"rendered":"\n<p>A new malicious advertising campaign on Google Ads is <a href=\"https:\/\/thehackernews.com\/2024\/04\/malicious-google-ads-pushing-fake-ip.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">exploiting<\/a> a group of up to 45 domains that impersonate an IP scanner to distribute a new backdoor called <a href=\"https:\/\/app.any.run\/tasks\/78505228-9d36-4f88-8f02-646a5d6cb037\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=madmxxhell_attack&amp;utm_term=230424&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>MadMxShell<\/strong><\/a>.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is MadMxShell?\u00a0<\/h2>\n\n\n\n<p>MadMxShell is a sophisticated Windows backdoor that uses DNS MX queries to communicate with its C2 server, located at litterbolo[.]com. The malware can:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collect system data. &nbsp;<\/li>\n\n\n\n<li>Run commands via Cmd.exe. &nbsp;<\/li>\n\n\n\n<li>Read, write, and delete files on the infected host.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"208\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-1024x208.png\" alt=\"\" class=\"wp-image-7677\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-1024x208.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-300x61.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-768x156.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-1536x312.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-2048x416.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-370x75.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-270x55.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image-740x150.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><a href=\"https:\/\/app.any.run\/tasks\/78505228-9d36-4f88-8f02-646a5d6cb037\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=madmxxhell_attack&amp;utm_term=230424&amp;utm_content=linktolanding\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>\u2019s network tab shows attempts to make DNS requests to C2&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Notably, it communicates with the C2 server by encoding data in the subdomains of DNS MX query packets and receives commands encoded within the response packets, hence the name MadMxShell.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze malware in <span class=\"highlight\">ANY.RUN<\/span> cloud interactive sandbox&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=madmxxhell_attack&#038;utm_term=230424&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nGet started free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Why is this significant?&nbsp;<\/h2>\n\n\n\n<p>This is the first time a campaign has used Google Ads to spread a sophisticated Windows backdoor \u2014 a technique known as malvertising.&nbsp;<\/p>\n\n\n\n<p>Malvertising involves using Google Ads to push malicious domains to the top of search engine results for specific keywords, tricking victims into visiting them.&nbsp;<\/p>\n\n\n\n<p>In this case, between November 2023 and March 2024, attackers registered a group of over 45 domains that mimic legitimate software such as Advanced IP Scanner, Angry IP Scanner, PRTG IP Scanner, and ManageEngine Advanced IP Scanner.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"728\" height=\"460\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2.png\" alt=\"\" class=\"wp-image-7678\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2.png 728w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2-300x190.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2-370x234.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image2-270x171.png 270w\" sizes=\"(max-width: 728px) 100vw, 728px\" \/><figcaption class=\"wp-element-caption\">Diagram of the infection chain. Source: <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/malvertising-campaign-targeting-it-teams-madmxshell\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Zscaler<\/a><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">How does the infection chain work?&nbsp;<\/h2>\n\n\n\n<p>The infection process begins when a user searching for popular IP scanning tools clicks on a malicious Google Ad and is directed to one of the 45 typosquatted domains registered by the attackers.&nbsp;<\/p>\n\n\n\n<p>Upon clicking the download button on these fake sites, a malicious ZIP archive named &#8220;Advanced-ip-scanner.zip&#8221; is downloaded. As we can see in <a href=\"https:\/\/app.any.run\/tasks\/78505228-9d36-4f88-8f02-646a5d6cb037\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=madmxxhell_attack&amp;utm_term=230424&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">this recording of an interactive analysis session in ANY.RUN sandbox<\/a>, this archive contains two files: a DLL file named <strong>IVIEWERS.dll<\/strong> and an executable named <strong>Advanced-ip-scanner.exe<\/strong>:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"567\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-1024x567.png\" alt=\"\" class=\"wp-image-7679\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-1024x567.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-1536x850.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-2048x1134.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image3-740x410.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Safely test malicious files in <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=madmxxhell_attack&amp;utm_term=230424&amp;utm_content=linktolanding\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> \u2014 a cloud interactive malware sandbox<\/figcaption><\/figure><\/div>\n\n\n<p>When the user runs the <strong>Advanced-ip-scanner.exe<\/strong>, it uses DLL side-loading to load the malicious IVIEWERS.dll file and initiate the infection sequence.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">ANY.RUN sandbox<\/span>: see all aspects of malware behavior <br>in real-time&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=madmxxhell_attack&#038;utm_term=230424&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nGet started free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>The DLL file then injects embedded shellcode into the <strong>Advanced-ip-scanner.exe <\/strong>process using process hollowing. The DLL effectively replaces the memory of a legitimate process with malicious code, allowing the malware to masquerade as a benign process.&nbsp;<\/p>\n\n\n\n<p>After the injection, the compromised <strong>Advanced-ip-scanner.exe <\/strong>process unpacks two additional files:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"1\">\n<li><strong>OneDrive.exe.<\/strong>&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li><strong>Secur32.dll<\/strong>.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p><strong>OneDrive.exe <\/strong>is a legitimate Microsoft binary that has been digitally signed. The malware abuses this trusted binary to sideload the malicious <strong>Secur32.dll <\/strong>file, which sets a scheduled task for persistence and executes the shellcode backdoor.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-1024x565.png\" alt=\"\" class=\"wp-image-7680\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-1024x565.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-1536x848.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-2048x1130.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/image4-740x408.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The process graph displays the relationship between processes launched by <a href=\"https:\/\/app.any.run\/tasks\/78505228-9d36-4f88-8f02-646a5d6cb037\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=madmxxhell_attack&amp;utm_term=230424&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">MadMxShell in ANY.RUN<\/a><\/figcaption><\/figure><\/div>\n\n\n<p>MadMxShell uses a variety of evasion techniques to complicate analysis. In addition to DNS tunneling for its C2 communication and multi-stage DLL loading, running a sample in ANY.RUN reveals more tricks. The <strong>Cmd.exe <\/strong>process with <strong>ID 5356 <\/strong>runs a ping command to delay simulation\u2014likely an attempt to evade automatic sandboxes that have a limited time window for analyzing samples.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN is a trusted partner for more than 400,000 cybersecurity professionals around the world. Our interactive sandbox simplifies malware analysis of threats targeting both Windows and Linux systems, providing analysts with an advanced tool for investigations. Our threat intelligence products, Lookup and Feeds, offer refined indicators of compromise and context that lets users detect threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Advantages of ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible.&nbsp;<\/p>\n\n\n\n<p>With ANY.RUN you can:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detect malware in under 40s<\/strong>: ANY.RUN detects malware within about 40 seconds of a file upload. It identifies prevalent malware families using YARA and Suricata rules and uses behavioral signatures to detect malicious actions when you encounter a new threat.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Interact with samples in real time<\/strong>: ANY.RUN is an interactive cloud sandbox powered by VNC, which means that you can do everything you could on a real system: browse webpages, click through installers, open password-protected archives.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Save time and money on sandbox setup and maintenance<\/strong>: ANY.RUN\u2019s cloud-based nature eliminates the need for setup or maintenance by your DevOps team, making it a cost-effective solution for businesses.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Record and study all aspects of malware behavior<\/strong>: ANY.RUN provides a detailed analysis of malware behavior, including network traffic, system calls, and file system changes.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Collaborate with your team<\/strong>: easily share analysis results, or, as a senior team member, check work of junior analysts by viewing recordings of their analysis sessions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scale as you need<\/strong>: as a cloud service, you can easily scale your team, simply by adding more licenses.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Get in touch with us and we\u2019ll provide you with a guided tour of ANY.RUN and show you how it can help your security team.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/contact-us\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=madmxxhell_attack&amp;utm_term=230424&amp;utm_content=linktocontactus\/\" target=\"_blank\" rel=\"noreferrer noopener\">Contact us \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new malicious advertising campaign on Google Ads is exploiting a group of up to 45 domains that impersonate an IP scanner to distribute a new backdoor called MadMxShell.&nbsp;&nbsp; What is MadMxShell?\u00a0 MadMxShell is a sophisticated Windows backdoor that uses DNS MX queries to communicate with its C2 server, located at litterbolo[.]com. The malware can:&nbsp; [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7683,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[57,10,34],"class_list":["post-7676","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cybercriminals Exploit Google Ads to Spread a Backdoor<\/title>\n<meta name=\"description\" content=\"A new malicious campaign on Google Ads is exploiting domains that impersonate an IP scanner to distribute a new backdoor called MadMxShell.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jack Zalesskiy and Stas Gaivoronskii\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/\"},\"author\":{\"name\":\"Jack Zalesskiy and Stas Gaivoronskii\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Cybercriminals Exploit Google Ads to Spread IP Scanner with Concealed Backdoor\",\"datePublished\":\"2024-04-23T07:54:49+00:00\",\"dateModified\":\"2024-04-25T13:17:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/\"},\"wordCount\":888,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/\",\"name\":\"Cybercriminals Exploit Google Ads to Spread a Backdoor\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-04-23T07:54:49+00:00\",\"dateModified\":\"2024-04-25T13:17:09+00:00\",\"description\":\"A new malicious campaign on Google Ads is exploiting domains that impersonate an IP scanner to distribute a new backdoor called MadMxShell.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/news\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cybercriminals Exploit Google Ads to Spread IP Scanner with Concealed Backdoor\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},[{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jack Zalesskiy\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1-150x150.webp\",\"caption\":\"Jack Zalesskiy\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Stas Gaivoronskii\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto-150x150.png\",\"caption\":\"Stas Gaivoronskii\"}}]]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cybercriminals Exploit Google Ads to Spread a Backdoor","description":"A new malicious campaign on Google Ads is exploiting domains that impersonate an IP scanner to distribute a new backdoor called MadMxShell.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/","twitter_misc":{"Written by":"Jack Zalesskiy and Stas Gaivoronskii","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/"},"author":{"name":"Jack Zalesskiy and Stas Gaivoronskii","@id":"https:\/\/any.run\/"},"headline":"Cybercriminals Exploit Google Ads to Spread IP Scanner with Concealed Backdoor","datePublished":"2024-04-23T07:54:49+00:00","dateModified":"2024-04-25T13:17:09+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/"},"wordCount":888,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/","url":"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/","name":"Cybercriminals Exploit Google Ads to Spread a Backdoor","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-04-23T07:54:49+00:00","dateModified":"2024-04-25T13:17:09+00:00","description":"A new malicious campaign on Google Ads is exploiting domains that impersonate an IP scanner to distribute a new backdoor called MadMxShell.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/attackers-exploit-google-ads\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"News","item":"https:\/\/any.run\/cybersecurity-blog\/category\/news\/"},{"@type":"ListItem","position":3,"name":"Cybercriminals Exploit Google Ads to Spread IP Scanner with Concealed Backdoor"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},[{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Jack Zalesskiy","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1-150x150.webp","caption":"Jack Zalesskiy"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Stas Gaivoronskii","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto-150x150.png","caption":"Stas Gaivoronskii"}}]]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7676"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7676"}],"version-history":[{"count":5,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7676\/revisions"}],"predecessor-version":[{"id":7714,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7676\/revisions\/7714"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7683"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}