Exploring MadMxShell’s Infrastructure: Rapid Pivoting for Actionable Insights
In a great blog post, Xscaler revealed a recent campaign targeting IT professionals via Google maldvertising in order to distribute a new backdoor named « MadMxShell ». In this campaign, the attackers registered domains mimicking the names of well-known IP scanners to lure their victims into downloading a zip archive containing a legitimate executable that sideloads a malicious DLL, also contained in the archive. It is worth noting that the attackers went to great lengths to evade detection and hinder analysis, using multiple stages of DLL sideloading to inject encrypted shellcodes and DNS requests to communicate with the final payload’s C2.
While Zscaler did an amazing job on the reverse engineering aspect and provided an extensive list of IoCs, they did not provide any IP addresses in their article… or I did not see it. Anyway, I decided this could make a quick example of how simple pivoting can enrich existing third-party analysis. I will only use freely available tools for personal research in this article, such as VirusTotal, Shodan, Censys, UrlScan, and Maltego for visual representation.
Zscaler’s blog includes a long list of domain names used by the attackers during their campaign:
Figure: Extract from the list of malicious domain names used by the attackers (source: Zscaler).
With such a list at hand, I decided to identify IP addresses associated with these domains. For this purpose, I utilized the passive DNS service provided by VirusTotal:
Figure: VirusTotal results for one of the domain name identified by Zscaler
While this domain is flagged as malicious by several antivirus engines, the associated IP addresses are not—and rightfully so, as these addresses belong to legitimate Content Delivery Network (CDN) servers. Two of these IP addresses are linked to the CloudFlare service, while the last one is associated with Datacamp. It is possible that the attackers have used these CDNs to conceal their infrastructure behind legitimate services.
I had more success when pivoting on another domain, advanced-ip-scaaner[.]com. This domain is associated with the IP address 144.217.123[.]10, a server hosted by the French company OVH. This address is in turn linked to several other domains typosquatting legitimate IP scanner services:
Figure: The current IP address is associated with 56 other domain names and subdomains typosquatting legitimate IP scanners.
I therefore decided to investigate this IP address more closely. Using Shodan, I observed that this server has many open ports, and several of them display a distinctive certificate:
Figure: Certificate displayed across several open ports of the IP 144.217.123[.]10.
The Issuer field mentions Vesta, an open source Hosting Control Panel that is free to use under GPLv3. It is likely that the attackers use this tool to set up and administer malicious website. The distinctive element in the current certificate is the subdomain ‘vps-26cb93cc.vps.ovh[.]ca’ mentioned in the Issuer field.
By pivoting via Censys on the issuer name of this certificate, I obtained three more results.
Figure: Pivoting on the content of the issuer field in the certificate reveals three more IP addresses.
We could have obtained the same results using the SSH key fingerprint on port 22. It’s worth noting that all these IP addresses share a similar pattern of open ports (21, 22, 25, 53, 80, 110, 143, 465, 587, 993, 995, 2525, 3306, 8083). Furthermore, all these IPs are associated with servers hosted by OVH, which aligns with the host’s explicit mention in the CN field of their certificates.
Figure: Mapping the attacker’s infrastructure through passive DNS pivots on four IP addresses that display identical CN fields in their certificates.
A passive DNS pivot on these four IP addresses revealed that all have been resolved by domain names typosquatting known legitimate IP scanning services. As shown in the above graph, at least three of these IP addresses could have been identified using passive DNS pivots on the domain names advanced-lp-scanner[.]com and advanceb-ip-scanner[.]com.
However, the address 51.222.204[.]42 is notable for not being in the same range as the others (though it is still linked to OVH), and most of the associated domain names are not typosquatting legitimate scanners. It is possible that these domains, including beckersfo[.]com, industrialhydroblast[.]com, keystore-explore[.]online, and roaryouth[.]com, might actually be legitimate, perhaps resolving the aforementioned IP addresses before or after their misuse by attackers. It’s also conceivable that these IPs are legitimate CDN nodes. However, several factors suggest otherwise. For instance, two of the four IP addresses, which display a certificate with the aforementioned CN field, are resolved only by malicious domains. This makes it unlikely that they are used for legitimate CDN nodes, which would typically be associated with legitimate domains featuring diverse thematic patterns. Moreover, none of these domains currently display a webpage. Additionally, some of these IP addresses have been resolving both IP scanner typosquatted domains and other domains simultaneously within the same time window. It is also worth noting that the domains not matching the ‘IP scanners’ pattern may still typosquat other legitimate organizations.
Potentially malicious domains | Legitimate domains | Comments |
keystore-explore[.]online | keystore-explorer[.]org/ | KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner. |
industrialhydroblast[.]com | industrialhydroblasting[.]com/ | |
roaryouth[.]com | www.rotary[.]org/en/our-programs/youth-programs | May refer to Rotary Youth Exchange (RYE), an international student exchange program for students in secondary school. |
Last but not least, research on the domain berckersfo[.]com revealed that the web page contained IP scanner-related strings when it was indexed.
For all these reasons, I would recommend keeping an eye on these domains as well. Thanks to further DNS pivots, I was able to find another IP address resolved by domains typosquatting IP scanners, 83.97.73[.]252.
While DNS pivots can be very useful for mapping attackers’ infrastructures, it is necessary to remain cautious to avoid over-pivoting and mistakenly identifying related but perfectly legitimate infrastructure. In this case, since the attackers use CDN services, there was a risk of falsely labeling legitimate services as malicious. The most time-consuming task in my investigation was actually excluding all legitimate IPs associated with these services. For the sake of clarity, I neither mentioned in the text nor showed these IP addresses on the graph.
After investigating maldvertising domains, I decided to devote some time to studying the C2 domain mentioned by Zscaler, litterbolo[.]com. Unfortunately, this domain only resolves to Cloudflare IP addresses. Therefore, it is not possible to identify the IP address of the server(s) used by the attackers with a simple DNS pivot.
Figure: litterbolo[.]com resolves Cloudflare IP addresses
However, while reading historically available Whois information about this domain, I noticed that this domain was using ns1.litterbolo[.]com and ns2.litterbolo[.]com as Name Servers.
Figure: historical Whois record from March 2024, before the infrastructure was concealed behind Cloudflare
Both these domains resolve the IP address 62.204.41[.]103 which belongs to Horizon LLC. According to some sources, this company, incorporated in Russia, may be a bulletproof hosting provider (BPH). It seems that previous DNS resolutions associated with this IP address encompassed typosquatted domains such as billergenie-app[.]com which mimics the legitimate invoicing tool billergenie (https://billergenie[.]com/).
Conclusion:
While I could have continued this investigation and probably find several other pertinent indicators, this blog was intended to show that threat intelligence can easily be used to enrich vendors’ public reports. The fact that it has been possible with very simple pivots to identify several IP addresses and domains suggests that the threat actor behind this campaign demonstrated poor operational security (OPSEC).
IoCs
51[.]222[.]204[.]42
144[.]217[.]117[.]245
144[.]217[.]123[.]10
83[.]97[.]73[.]252
62[.]204[.]41[.]103
beckersfo[.]com
industrialhydroblast[.]com
billergenie-app[.]com
keystore-explore[.]online
roaryouth[.]com