Thanks to the presence of a previously unknown Windows backdoor, the MadMXShell malware has created digital chaos through the use of Google Ads

Google Ads are a common sight for anyone stepping foot online, and they’re a sure-fire way to guarantee clicks for those behind the advertising campaigns. Naturally, this makes of great interest to threat actors, as not only is malvertising a useful tool for hacking, but it’s also an easy way to lead people to malicious websites. MadMXShell appears to be a complex piece of malware, comprising several attack methods and tools, so it’s crucial that your organization is on guard against it.

How MadMXShell Serves Up its Malware

The threat actor responsible for MadMXShell is yet to be identified, but the effort invested in the attack demonstrates they’re highly skilled. Having created several domains in the IP scanner niche – with similar sounding names to official sites (a technique known as typosquatting) – the threat actor took advantage of the Google Ads algorithm to push them to the top of the search engine results. This was achieved by targeting keywords – words/phrases entered into search engines by those searching for specific content – and ensuring that their click rate was maximized.

Once lured to these malicious websites, it appears that visitors are encouraged to download IP scanner software. But, as you’ve already worked out, there is no IP scanner software to download. Instead, MadMXShell is downloaded and executed. With its strategy made up of a multi-targeted attack, MadMXShell sets to work harvesting data from infected systems. It does this by communicating with command-and-control servers and evades detection by injecting altered code into seemingly legitimate processes.

Curiously, as the entire campaign centers around IP scanning software, it would appear the main target of MadMxShell are IT professionals. Despite being a tough crowd to deceive, MadMXShell has already managed to gain plenty of victims, and underlines the ease with which even professionals can be taken in by malware.

Keeping the Threat of MadMxShell at Bay

It may sound as though MadMxShell is impossible to protect yourself against, especially if IT experts are struggling to defend against its threat. However, by taking the time to consider the validity of content you see online, you can significantly reduce the risk of falling victim to MadMxShell or similar attacks. The most important factors to consider are:

  • Always Verify Sources: before clicking on an online advert, always verify its source. If you’re unfamiliar with a website name then try performing a Google search against it, as this may flag it up as a malicious website. Remember, many attacks will use typosquatting, so it’s important that URLs are double checked e.g. usa.visa.com is official, but usa.v1sa.com is an attempt to fake the official website.
  • If It’s Too Good to Be True: online adverts which are offering unlikely and unrealistic rewards should always be scrutinized closely. While they may not necessarily link you to malicious websites, it’s more than likely that some form of scam/deception is the most likely end point.
  • Use an Adblocker: pop-up adverts are both annoying and a potential security risk, so why not minimize these risks by installing an adblocker into your browser? Easy to operate, and available for free, these browser add-ons allow you to prevent pop-up adverts from being displayed on your screen. Popular adblockers include Adblock Plus, Privacy Badger, and Ghostery.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More