During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for the Advanced IP Scanner tool online and inadvertently downloaded the compromised installer from a typo-squatted domain that appeared in their search results.
Figure 1. Search results for Advanced IP Scanner may direct users to a malicious domain.
Advanced IP Scanner is a free network scanner for Windows that analyses local area networks (LANs) and gathers information about connected devices, a tool mostly used by IT administrators. However, for the past year, this tool has been the target of a watering hole attack. Threat actors have been mimicking the legitimate website and abusing Google Ads to ensure their malicious site ranks highly in search results for “Advanced IP Scanner.”
![Figure 2. The malicious domain www[.]advanCCed-ip-scaNer[.]com, not to be confused with the legitimate domain www.advanced-ip-scanner.com, redirects to advanCCed-ip-scanner[.]com.](https://www.trustwave.com/hs-fs/hubfs/Blogs/SpiderLab_Blog_Images/Figure%202.%20The%20malicious%20domain%20www%5B.%5DadvanCCed-ip-scaNer%5B.%5Dcom%2c%20not%20to%20be%20confused%20with%20the%20legitimate%20domain%20www.advanced-ip-scanner.com%2c%20redirects%20to%20advanCCed-ip-scanner%5B.%5Dcom..jpg?width=602&height=368&name=Figure%202.%20The%20malicious%20domain%20www%5B.%5DadvanCCed-ip-scaNer%5B.%5Dcom%2c%20not%20to%20be%20confused%20with%20the%20legitimate%20domain%20www.advanced-ip-scanner.com%2c%20redirects%20to%20advanCCed-ip-scanner%5B.%5Dcom..jpg)
Figure 2. The malicious domain www[.]advanCCed-ip-scaNer[.]com, not to be confused with the legitimate domain www.advanced-ip-scanner.com, redirects to advanCCed-ip-scanner[.]com.
.jpg?width=602&height=164&name=Figure%203.%20Free%20download%20linked%20to%20the%20malicious%20setup%20package%20executable%20Advanced_IP_Scanner_2.5.4594.1(MD5%20723227f3a71001fb9c0cd28ff52b2636).jpg)
Figure 3. "Free download" linked to the malicious setup package executable Advanced_IP_Scanner_2.5.4594.1(MD5: 723227f3a71001fb9c0cd28ff52b2636)
Execution Chain
Figure 4. Execution chain overview
The signed setup file Advanced_IP_Scanner_2.5.4594.1.exe (MD5: 723227f3a71001fb9c0cd28ff52b2636) downloaded from the fake website contains a DLL named pcre.dll (MD5: 21cdd0a64e8ac9ed58de9b88986c8983) identified as malicious. Normally, this DLL is loaded by the main Advanced IP Scanner program to provide a Perl Compatible Regular Expressions library. However, in this compromised version, it is side-loaded to inject a CobaltStrike beacon into a newly created parent process.
Figure 5. The malicious installer is digitally signed using a stolen certificate
Figure 6. The installed main legitimate program imports the module pcre.dll
The main Advanced IP Scanner program first calls the “pcre_study” module from the DLL file, where malicious code allocates memory in the parent process's address space and copies the encrypted CobaltStrike beacon into it. Then, the program calls the “pcre_exec” module, which contains code to decrypt the CobaltStrike beacon. Finally, it creates a new process for Advanced IP Scanner and injects the decrypted CobaltStrike beacon into this new process using the process hollowing technique.
%20function%20from%20pcre.dll.%20The%20malicious%20pcre.dll%2c%20however%2c%20contains%20a%20function%20that%20allocates%20memory%20for%20the%20CobaltStrike%20beacon..jpg?width=712&height=327&name=Figure%207.%20The%20main%20program%20initially%20calls%20the%20pcre_study()%20function%20from%20pcre.dll.%20The%20malicious%20pcre.dll%2c%20however%2c%20contains%20a%20function%20that%20allocates%20memory%20for%20the%20CobaltStrike%20beacon..jpg)
Figure 7. The main program initially calls the pcre_study() function from pcre.dll. The malicious pcre.dll, however, contains a function that allocates memory for the CobaltStrike beacon.
Figure 8. Eventually, the pcre_exec code will be called by the main program. The malicious code in pcre.dll however would decrypt and inject the malicious CobaltStrike beacon shellcode to a newly created process of the main program
Figure 9. The malicious code is encrypted and stored in the “.data” section of the malicious pcre.dll file
Figure 10. After extracting and decrypting the block, it reveals the CobaltStrike beacon configuration that includes the C2 server, XOR encoded with 0x2E.
CobaltStrike is a tool that threat actors use after they’ve already broken into the system. It's like a Swiss Army knife for cyberattacks, helping an attacker sneak into networks, move around quietly, and steal information without getting caught.
Originally, it was made for security professionals to simulate attacks and find weaknesses, but now it's often used by the bad guys for real attacks. This is accomplished with the help of a CobaltStrike beacon, a small piece of malicious software the threat actor uses to maintain control over a compromised computer.
Once installed on a target system, it quietly communicates with the attacker’s server, allowing them to send commands, steal data, and spread to other computers in the network. This particular beacon communicates with its command-and-control (C2) servers at nanopeb[.]com and coldfusioncnc[.]com. For the full extracted beacon configuration, please refer to the appendix section below.
This incident shows how important downloading software only from trusted, official sources. IT admins and security pros need to be extra careful when getting network tools, making sure to use strong security measures like endpoint protection and regular checks for any unusual network activity. Cybercriminals are getting more creative with their attacks, using tricks like typo-squatting, SEO, and fake ads, so it's important to stay alert and keep cybersecurity practices up to date. This campaign is ongoing, and other typo-squatted domains have been reported to deliver CobaltStrike alternative like Sliver C2, malware including Danabot, IDATLoader, and MadMXShell.
IOCs:
Network Activity
- https[:]//nanopeb[.]com
- https[:]//coldfusioncnc[.]com
URI Path
- /sub/access/PQODJO5X45JC
- /inquiry/webcart/NPDTA4HJGYF2
Hashes
Backdoored Advanced_IP_Scanner_2.5.4594.1.exe
- 723227f3a71001fb9c0cd28ff52b2636 (MD5)
- fef06c28ae5a65672c31076b062e33cfaeb2b90309444f6567877f22997bc711 (SHA256)
Malicious pcre.dll
- 21cdd0a64e8ac9ed58de9b88986c8983 (MD5)
- 9a0c600669772bc530fe07c2dbb23dbb4808c640d016ffb832460ed25d2bb49e (SHA256)
CobaltStrike beacon shellcode
- e12ebfd9f6e8cf6cbd76b229e7bf7492 (MD5)
- 248f3df68651214cfc1645792f685f8ac15db8f86978cfd3b181d618ccf03bc4 (SHA256)
Other typo-squatted domains that are still active include:
- https[:]//adlvanced-ip-scanner[.]com
- https[:]//advanced-ip-scanner[.]link
- https[:]//advnaced-ip-skanner[.]top
- https[:]//advanced-ip[.]org
Appendix
CobaltStrike Beacon Configuration:
|
Field
|
Value
|
Description
|
|
BeaconType
|
HTTPS
|
Type of communication protocol used by the beacon.
|
|
Port
|
443
|
Port number on which the communication is established.
|
|
SleepTime
|
83935 seconds or 24 hours
|
Time interval between beacon check-ins.
|
|
MaxGetSize
|
2807995
|
Maximum size of data that can be received in one request.
|
|
Jitter
|
44
|
Randomized time added to sleep interval for jitter.
|
|
MaxDNS
|
Not Found
|
Maximum size of DNS request.
|
|
C2Server
|
- nanopeb.com,/sub/access/PQODJO5X45JC
|
List of C2 servers and their associated paths.
|
| |
- coldfusioncnc.com,/sub/access/PQODJO5X45JC
|
|
|
UserAgent
|
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9
|
User-Agent string used in HTTP requests.
|
|
HttpPostUri
|
/inquiry/webcart/NPDTA4HJGYF2
|
URI for HTTP POST requests.
|
|
Malleable_C2_Instructions
|
- Remove 7449 bytes from the end
|
Instructions for manipulating C2 communication.
|
| |
- Remove 4338 bytes from the beginning
|
See description below
|
| |
- Base64 URL-safe decode
|
|
| |
- XOR mask w/ random key
|
|
|
HttpGet_Metadata
|
Not Found
|
Additional metadata included in HTTP GET requests.
|
|
HttpPost_Metadata
|
Not Found
|
Additional metadata included in HTTP POST requests.
|
|
SpawnTo
|
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
Process to spawn into.
|
|
PipeName
|
Not Found
|
Named pipe used for communication.
|
|
DNS_Idle
|
Not Found
|
Time interval for DNS queries when system is idle.
|
|
DNS_Sleep
|
Not Found
|
Time interval for DNS queries during normal operation.
|
|
SSH_Host
|
Not Found
|
Hostname for SSH connection.
|
|
SSH_Port
|
Not Found
|
Port for SSH connection.
|
|
SSH_Username
|
Not Found
|
Username for SSH authentication.
|
|
SSH_Password_Plaintext
|
Not Found
|
Plaintext password for SSH authentication.
|
|
SSH_Password_Pubkey
|
Not Found
|
Public key for SSH authentication.
|
|
HttpGet_Verb
|
GET
|
HTTP method used in GET requests.
|
|
HttpPost_Verb
|
POST
|
HTTP method used in POST requests.
|
|
HttpPostChunk
|
0
|
Size of chunks for HTTP POST requests.
|
|
Spawnto_x86
|
%windir%\syswow64\systray.exe
|
Path to execute payload on x86 systems.
|
|
Spawnto_x64
|
%windir%\sysnative\svchost.exe -k netsvc
|
Path to execute payload on x64 systems.
|
|
CryptoScheme
|
0
|
Encryption scheme used for communication.
|
|
Proxy_Config
|
Not Found
|
Configuration for proxy server.
|
|
Proxy_User
|
Not Found
|
Username for proxy server authentication.
|
|
Proxy_Password
|
Not Found
|
Password for proxy server authentication.
|
|
Proxy_Behavior
|
Use IE settings
|
Behavior regarding proxy usage.
|
|
Watermark
|
1357776117
|
Watermark for identifying the beacon.
|
|
bStageCleanup
|
True
|
Flag indicating whether cleanup is needed after stage.
|
|
bCFGCaution
|
False
|
Flag indicating caution for CFG memory protection.
|
|
KillDate
|
0
|
Date to kill the beacon if configured.
|
|
bProcInject_StartRWX
|
False
|
Flag indicating whether to start RWX memory for injection.
|
|
bProcInject_UseRWX
|
False
|
Flag indicating whether to use RWX memory injection.
|
|
bProcInject_MinAllocSize
|
15585
|
Minimum size for memory allocation during injection.
|
|
ProcInject_PrependAppend_x86
|
- b'f\x0f\x1f\x84\x00\x00\x00\x00\x00PXPX\x0f\x1f\x84\x00\x00\x00\x00\x00PX\x0f{TRUNCATED}'
|
Code to prepend/append for x86 process injection.
|
| |
- b'f\x0f\x1fD\x00\x00f\x0f\x1fD\x00\x00\x90\x0f\x1f@\x00\x0f\x1f\x80\x00\x00\x00\x00'
|
See description below
|
|
ProcInject_PrependAppend_x64
|
- b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f@\x00f\x90f{TRUNCATED}'
|
Code to prepend/append for x64 process injection.
|
| |
- b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1fD{TRUNCATED}'
|
See description below
|
|
ProcInject_Execute
|
- ntdll:RtlUserThreadStart
|
Methods of execution for process injection.
|
| |
- CreateThread
|
|
| |
- NtQueueApcThread
|
|
| |
- CreateRemoteThread
|
|
| |
- RtlCreateUserThread
|
|
|
ProcInject_AllocationMethod
|
VirtualAllocEx
|
Method used for memory allocation during injection.
|
|
bUsesCookies
|
True
|
Flag indicating whether beacon uses cookies.
|
|
HostHeader
|
|
Host header used in HTTP requests.
|
