Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for the Advanced IP Scanner tool online and inadvertently downloaded the compromised installer from a typo-squatted domain that appeared in their search results.

Figure 1. Search results for Advanced IP Scanner may direct users to a malicious domain.

Advanced IP Scanner is a free network scanner for Windows that analyses local area networks (LANs) and gathers information about connected devices, a tool mostly used by IT administrators. However, for the past year, this tool has been the target of a watering hole attack. Threat actors have been mimicking the legitimate website and abusing Google Ads to ensure their malicious site ranks highly in search results for “Advanced IP Scanner.”

Figure 2. The malicious domain www[.]advanCCed-ip-scaNer[.]com, not to be confused with the legitimate domain www.advanced-ip-scanner.com, redirects to advanCCed-ip-scanner[.]com.

Figure 3. "Free download" linked to the malicious setup package executable Advanced_IP_Scanner_2.5.4594.1(MD5: 723227f3a71001fb9c0cd28ff52b2636)

Execution Chain

Figure 4. Execution chain overview

The signed setup file: Advanced_IP_Scanner_2.5.4594.1.exe (MD5: 723227f3a71001fb9c0cd28ff52b2636) downloaded from the fake website contains a DLL named pcre.dll (MD5: 21cdd0a64e8ac9ed58de9b88986c8983) identified as malicious. Normally, this DLL is loaded by the main Advanced IP Scanner program to provide a Perl Compatible Regular Expressions library. However, in this compromised version, it is side-loaded to inject a CobaltStrike beacon into a newly created parent process.

Figure 5. The malicious installer is digitally signed using a stolen certificate

Figure 6. The installed main legitimate program imports the module pcre.dll

The main Advanced IP Scanner program first calls the “pcre_study” module from the DLL file, where malicious code allocates memory in the parent process's address space and copies the encrypted CobaltStrike beacon into it. Then, the program calls the “pcre_exec” module, which contains code to decrypt the CobaltStrike beacon. Finally, it creates a new process for Advanced IP Scanner and injects the decrypted CobaltStrike beacon into this new process using the process hollowing technique.

Figure 7. The main program initially calls the pcre_study() function from pcre.dll. The malicious pcre.dll, however, contains a function that allocates memory for the CobaltStrike beacon.

Figure 8. Eventually, the pcre_exec code will be called by the main program. The malicious code in pcre.dll however would decrypt and inject the malicious CobaltStrike beacon shellcode to a newly created process of the main program

Figure 9. The malicious code is encrypted and stored in the “.data” section of the malicious pcre.dll file

Figure 10. After extracting and decrypting the block, it reveals the CobaltStrike beacon configuration that includes the C2 server, XOR encoded with 0x2E.

CobaltStrike is a tool that threat actors use after they’ve already broken into the system. It's like a Swiss Army knife for cyberattacks, helping an attacker sneak into networks, move around quietly, and steal information without getting caught.

Originally, it was made for security professionals to simulate attacks and find weaknesses, but now it's often used by the bad guys for real attacks. This is accomplished with the help of a CobaltStrike beacon, a small piece of malicious software the threat actor uses to maintain control over a compromised computer.

Once installed on a target system, it quietly communicates with the attacker’s server, allowing them to send commands, steal data, and spread to other computers in the network. This particular beacon communicates with its command-and-control (C2) servers at nanopeb[.]com and coldfusioncnc[.]com. For the full extracted beacon configuration, please refer to the appendix section below.

This incident shows how important downloading software only from trusted, official sources. IT admins and security pros need to be extra careful when getting network tools, making sure to use strong security measures like endpoint protection and regular checks for any unusual network activity. Cybercriminals are getting more creative with their attacks, using tricks like typo-squatting, SEO, and fake ads, so it's important to stay alert and keep cybersecurity practices up to date. This campaign is ongoing, and other typo-squatted domains have been reported to deliver CobaltStrike alternative like Sliver C2, malware including Danabot, IDATLoader, and MadMXShell.

IOCs:

Network Activity

• https[:]//nanopeb[.]com
• https[:]//coldfusioncnc[.]com

URI Path

• /sub/access/PQODJO5X45JC
• /inquiry/webcart/NPDTA4HJGYF2

Hashes

Backdoored Advanced_IP_Scanner_2.5.4594.1.exe

• 723227f3a71001fb9c0cd28ff52b2636 (MD5)
• fef06c28ae5a65672c31076b062e33cfaeb2b90309444f6567877f22997bc711 (SHA256)

Malicious pcre.dll

• 21cdd0a64e8ac9ed58de9b88986c8983 (MD5)
• 9a0c600669772bc530fe07c2dbb23dbb4808c640d016ffb832460ed25d2bb49e (SHA256)

CobaltStrike beacon shellcode

• e12ebfd9f6e8cf6cbd76b229e7bf7492 (MD5)
• 248f3df68651214cfc1645792f685f8ac15db8f86978cfd3b181d618ccf03bc4 (SHA256)

Other typo-squatted domains that are still active include:

• https[:]//adlvanced-ip-scanner[.]com
• https[:]//advanced-ip-scanner[.]link
• https[:]//advnaced-ip-skanner[.]top
• https[:]//advanced-ip[.]org

Appendix

CobaltStrike Beacon Configuration: