SpiderLabs Blog

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

Written by Rodel Mendrez | Jun 5, 2024 4:32:18 PM

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for the Advanced IP Scanner tool online and inadvertently downloaded the compromised installer from a typo-squatted domain that appeared in their search results.


Figure 1. Search results for Advanced IP Scanner may direct users to a malicious domain.

Advanced IP Scanner is a free network scanner for Windows that analyses local area networks (LANs) and gathers information about connected devices, a tool mostly used by IT administrators. However, for the past year, this tool has been the target of a watering hole attack. Threat actors have been mimicking the legitimate website and abusing Google Ads to ensure their malicious site ranks highly in search results for “Advanced IP Scanner.”


Figure 2. The malicious domain www[.]advanCCed-ip-scaNer[.]com, not to be confused with the legitimate domain www.advanced-ip-scanner.com, redirects to advanCCed-ip-scanner[.]com.


Figure 3. "Free download" linked to the malicious setup package executable Advanced_IP_Scanner_2.5.4594.1(MD5: 723227f3a71001fb9c0cd28ff52b2636)

 

Execution Chain


Figure 4. Execution chain overview

The signed setup file: Advanced_IP_Scanner_2.5.4594.1.exe (MD5: 723227f3a71001fb9c0cd28ff52b2636) downloaded from the fake website contains a DLL named pcre.dll (MD5: 21cdd0a64e8ac9ed58de9b88986c8983) identified as malicious. Normally, this DLL is loaded by the main Advanced IP Scanner program to provide a Perl Compatible Regular Expressions library. However, in this compromised version, it is side-loaded to inject a CobaltStrike beacon into a newly created parent process.


Figure 5. The malicious installer is digitally signed using a stolen certificate


Figure 6. The installed main legitimate program imports the module pcre.dll

The main Advanced IP Scanner program first calls the “pcre_study” module from the DLL file, where malicious code allocates memory in the parent process's address space and copies the encrypted CobaltStrike beacon into it. Then, the program calls the “pcre_exec” module, which contains code to decrypt the CobaltStrike beacon. Finally, it creates a new process for Advanced IP Scanner and injects the decrypted CobaltStrike beacon into this new process using the process hollowing technique.


Figure 7. The main program initially calls the pcre_study() function from pcre.dll. The malicious pcre.dll, however, contains a function that allocates memory for the CobaltStrike beacon.


Figure 8. Eventually, the pcre_exec code will be called by the main program. The malicious code in pcre.dll however would decrypt and inject the malicious CobaltStrike beacon shellcode to a newly created process of the main program



Figure 9. The malicious code is encrypted and stored in the “.data” section of the malicious pcre.dll file


Figure 10. After extracting and decrypting the block, it reveals the CobaltStrike beacon configuration that includes the C2 server, XOR encoded with 0x2E.

CobaltStrike is a tool that threat actors use after they’ve already broken into the system. It's like a Swiss Army knife for cyberattacks, helping an attacker sneak into networks, move around quietly, and steal information without getting caught.

Originally, it was made for security professionals to simulate attacks and find weaknesses, but now it's often used by the bad guys for real attacks. This is accomplished with the help of a CobaltStrike beacon, a small piece of malicious software the threat actor uses to maintain control over a compromised computer.

Once installed on a target system, it quietly communicates with the attacker’s server, allowing them to send commands, steal data, and spread to other computers in the network. This particular beacon communicates with its command-and-control (C2) servers at nanopeb[.]com and coldfusioncnc[.]com. For the full extracted beacon configuration, please refer to the appendix section below.

This incident shows how important downloading software only from trusted, official sources. IT admins and security pros need to be extra careful when getting network tools, making sure to use strong security measures like endpoint protection and regular checks for any unusual network activity. Cybercriminals are getting more creative with their attacks, using tricks like typo-squatting, SEO, and fake ads, so it's important to stay alert and keep cybersecurity practices up to date. This campaign is ongoing, and other typo-squatted domains have been reported to deliver CobaltStrike alternative like Sliver C2, malware including Danabot, IDATLoader, and MadMXShell.

 

IOCs:

Network Activity

  • https[:]//nanopeb[.]com
  • https[:]//coldfusioncnc[.]com

 

URI Path

  • /sub/access/PQODJO5X45JC
  • /inquiry/webcart/NPDTA4HJGYF2

 

Hashes

Backdoored Advanced_IP_Scanner_2.5.4594.1.exe

  • 723227f3a71001fb9c0cd28ff52b2636 (MD5)
  • fef06c28ae5a65672c31076b062e33cfaeb2b90309444f6567877f22997bc711 (SHA256)

Malicious pcre.dll

  • 21cdd0a64e8ac9ed58de9b88986c8983 (MD5)
  • 9a0c600669772bc530fe07c2dbb23dbb4808c640d016ffb832460ed25d2bb49e (SHA256)

CobaltStrike beacon shellcode

  • e12ebfd9f6e8cf6cbd76b229e7bf7492 (MD5)
  • 248f3df68651214cfc1645792f685f8ac15db8f86978cfd3b181d618ccf03bc4 (SHA256)

Other typo-squatted domains that are still active include:

  • https[:]//adlvanced-ip-scanner[.]com
  • https[:]//advanced-ip-scanner[.]link
  • https[:]//advnaced-ip-skanner[.]top
  • https[:]//advanced-ip[.]org

 

Appendix

CobaltStrike Beacon Configuration:

Field

Value

Description

BeaconType

HTTPS

Type of communication protocol used by the beacon.

Port

443

Port number on which the communication is established.

SleepTime

83935 seconds or 24 hours

Time interval between beacon check-ins.

MaxGetSize

2807995

Maximum size of data that can be received in one request.

Jitter

44

Randomized time added to sleep interval for jitter.

MaxDNS

Not Found

Maximum size of DNS request.

C2Server

- nanopeb.com,/sub/access/PQODJO5X45JC

List of C2 servers and their associated paths.

 

- coldfusioncnc.com,/sub/access/PQODJO5X45JC

 

UserAgent

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9

User-Agent string used in HTTP requests.

HttpPostUri

/inquiry/webcart/NPDTA4HJGYF2

URI for HTTP POST requests.

Malleable_C2_Instructions

- Remove 7449 bytes from the end

Instructions for manipulating C2 communication.

 

- Remove 4338 bytes from the beginning

See description below

 

- Base64 URL-safe decode

 
 

- XOR mask w/ random key

 

HttpGet_Metadata

Not Found

Additional metadata included in HTTP GET requests.

HttpPost_Metadata

Not Found

Additional metadata included in HTTP POST requests.

SpawnTo

b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

Process to spawn into.

PipeName

Not Found

Named pipe used for communication.

DNS_Idle

Not Found

Time interval for DNS queries when system is idle.

DNS_Sleep

Not Found

Time interval for DNS queries during normal operation.

SSH_Host

Not Found

Hostname for SSH connection.

SSH_Port

Not Found

Port for SSH connection.

SSH_Username

Not Found

Username for SSH authentication.

SSH_Password_Plaintext

Not Found

Plaintext password for SSH authentication.

SSH_Password_Pubkey

Not Found

Public key for SSH authentication.

HttpGet_Verb

GET

HTTP method used in GET requests.

HttpPost_Verb

POST

HTTP method used in POST requests.

HttpPostChunk

0

Size of chunks for HTTP POST requests.

Spawnto_x86

%windir%\syswow64\systray.exe

Path to execute payload on x86 systems.

Spawnto_x64

%windir%\sysnative\svchost.exe -k netsvc

Path to execute payload on x64 systems.

CryptoScheme

0

Encryption scheme used for communication.

Proxy_Config

Not Found

Configuration for proxy server.

Proxy_User

Not Found

Username for proxy server authentication.

Proxy_Password

Not Found

Password for proxy server authentication.

Proxy_Behavior

Use IE settings

Behavior regarding proxy usage.

Watermark

1357776117

Watermark for identifying the beacon.

bStageCleanup

True

Flag indicating whether cleanup is needed after stage.

bCFGCaution

False

Flag indicating caution for CFG memory protection.

KillDate

0

Date to kill the beacon if configured.

bProcInject_StartRWX

False

Flag indicating whether to start RWX memory for injection.

bProcInject_UseRWX

False

Flag indicating whether to use RWX memory injection.

bProcInject_MinAllocSize

15585

Minimum size for memory allocation during injection.

ProcInject_PrependAppend_x86

- b'f\x0f\x1f\x84\x00\x00\x00\x00\x00PXPX\x0f\x1f\x84\x00\x00\x00\x00\x00PX\x0f{TRUNCATED}'

Code to prepend/append for x86 process injection.

 

- b'f\x0f\x1fD\x00\x00f\x0f\x1fD\x00\x00\x90\x0f\x1f@\x00\x0f\x1f\x80\x00\x00\x00\x00'

See description below

ProcInject_PrependAppend_x64

- b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f@\x00f\x90f{TRUNCATED}'

Code to prepend/append for x64 process injection.

 

- b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1fD{TRUNCATED}'

See description below

ProcInject_Execute

- ntdll:RtlUserThreadStart

Methods of execution for process injection.

 

- CreateThread

 
 

- NtQueueApcThread

 
 

- CreateRemoteThread

 
 

- RtlCreateUserThread

 

ProcInject_AllocationMethod

VirtualAllocEx

Method used for memory allocation during injection.

bUsesCookies

True

Flag indicating whether beacon uses cookies.

HostHeader

 

Host header used in HTTP requests.