Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for the Advanced IP Scanner tool online and inadvertently downloaded the compromised installer from a typo-squatted domain that appeared in their search results.

Figure 1. Search results for Advanced IP Scanner may direct users to a malicious domain.

Figure 1. Search results for Advanced IP Scanner may direct users to a malicious domain.

 

Advanced IP Scanner is a free network scanner for Windows that analyses local area networks (LANs) and gathers information about connected devices, a tool mostly used by IT administrators. However, for the past year, this tool has been the target of a watering hole attack. Threat actors have been mimicking the legitimate website and abusing Google Ads to ensure their malicious site ranks highly in search results for “Advanced IP Scanner.”

Figure 2. The malicious domain www[.]advanCCed-ip-scaNer[.]com, not to be confused with the legitimate domain www.advanced-ip-scanner.com, redirects to advanCCed-ip-scanner[.]com.

Figure 2. The malicious domain www[.]advanCCed-ip-scaNer[.]com, not to be confused with the legitimate domain www.advanced-ip-scanner.com, redirects to advanCCed-ip-scanner[.]com.

 

Figure 3. Free download linked to the malicious setup package executable Advanced_IP_Scanner_2.5.4594.1(MD5 723227f3a71001fb9c0cd28ff52b2636)

Figure 3. "Free download" linked to the malicious setup package executable Advanced_IP_Scanner_2.5.4594.1(MD5: 723227f3a71001fb9c0cd28ff52b2636)

 

Execution Chain

Figure 4. Execution chain overview

Figure 4. Execution chain overview

 

The signed setup file Advanced_IP_Scanner_2.5.4594.1.exe (MD5: 723227f3a71001fb9c0cd28ff52b2636) downloaded from the fake website contains a DLL named pcre.dll (MD5: 21cdd0a64e8ac9ed58de9b88986c8983) identified as malicious. Normally, this DLL is loaded by the main Advanced IP Scanner program to provide a Perl Compatible Regular Expressions library. However, in this compromised version, it is side-loaded to inject a CobaltStrike beacon into a newly created parent process.

Figure 5. The malicious installer  is digitally signed using a stolen certificate

Figure 5. The malicious installer is digitally signed using a stolen certificate

 

Figure 6. The installed main legitimate program imports the module pcre

Figure 6. The installed main legitimate program imports the module pcre.dll

 

The main Advanced IP Scanner program first calls the “pcre_study” module from the DLL file, where malicious code allocates memory in the parent process's address space and copies the encrypted CobaltStrike beacon into it. Then, the program calls the “pcre_exec” module, which contains code to decrypt the CobaltStrike beacon. Finally, it creates a new process for Advanced IP Scanner and injects the decrypted CobaltStrike beacon into this new process using the process hollowing technique.

Figure 7. The main program initially calls the pcre_study() function from pcre.dll. The malicious pcre.dll, however, contains a function that allocates memory for the CobaltStrike beacon.

Figure 7. The main program initially calls the pcre_study() function from pcre.dll. The malicious pcre.dll, however, contains a function that allocates memory for the CobaltStrike beacon.

 

Figure 8. Eventually

Figure 8. Eventually, the pcre_exec code will be called by the main program. The malicious code in pcre.dll however would decrypt and inject the malicious CobaltStrike beacon shellcode to a newly created process of the main program

 

Figure 9. The malicious code is encrypted and stored in the “.data” section of the malicious pcre.dll file

Figure 9. The malicious code is encrypted and stored in the “.data” section of the malicious pcre.dll file

 

Figure 10. After extracting and decrypting the block, it reveals the CobaltStrike beacon configuration that includes the C2 server, XOR encoded with  0x2E.

Figure 10. After extracting and decrypting the block, it reveals the CobaltStrike beacon configuration that includes the C2 server, XOR encoded with 0x2E.

 

CobaltStrike is a tool that threat actors use after they’ve already broken into the system. It's like a Swiss Army knife for cyberattacks, helping an attacker sneak into networks, move around quietly, and steal information without getting caught.

Originally, it was made for security professionals to simulate attacks and find weaknesses, but now it's often used by the bad guys for real attacks. This is accomplished with the help of a CobaltStrike beacon, a small piece of malicious software the threat actor uses to maintain control over a compromised computer.

Once installed on a target system, it quietly communicates with the attacker’s server, allowing them to send commands, steal data, and spread to other computers in the network. This particular beacon communicates with its command-and-control (C2) servers at nanopeb[.]com and coldfusioncnc[.]com. For the full extracted beacon configuration, please refer to the appendix section below.

This incident shows how important downloading software only from trusted, official sources. IT admins and security pros need to be extra careful when getting network tools, making sure to use strong security measures like endpoint protection and regular checks for any unusual network activity. Cybercriminals are getting more creative with their attacks, using tricks like typo-squatting, SEO, and fake ads, so it's important to stay alert and keep cybersecurity practices up to date. This campaign is ongoing, and other typo-squatted domains have been reported to deliver CobaltStrike alternative like Sliver C2, malware including Danabot, IDATLoader, and MadMXShell.

 

IOCs:

Network Activity

  • https[:]//nanopeb[.]com
  • https[:]//coldfusioncnc[.]com

 

URI Path

  • /sub/access/PQODJO5X45JC
  • /inquiry/webcart/NPDTA4HJGYF2

 

Hashes

Backdoored Advanced_IP_Scanner_2.5.4594.1.exe

  • 723227f3a71001fb9c0cd28ff52b2636 (MD5)
  • fef06c28ae5a65672c31076b062e33cfaeb2b90309444f6567877f22997bc711 (SHA256)

Malicious pcre.dll

  • 21cdd0a64e8ac9ed58de9b88986c8983 (MD5)
  • 9a0c600669772bc530fe07c2dbb23dbb4808c640d016ffb832460ed25d2bb49e (SHA256)

CobaltStrike beacon shellcode

  • e12ebfd9f6e8cf6cbd76b229e7bf7492 (MD5)
  • 248f3df68651214cfc1645792f685f8ac15db8f86978cfd3b181d618ccf03bc4 (SHA256)

Other typo-squatted domains that are still active include:

  • https[:]//adlvanced-ip-scanner[.]com
  • https[:]//advanced-ip-scanner[.]link
  • https[:]//advnaced-ip-skanner[.]top
  • https[:]//advanced-ip[.]org

 

Appendix

CobaltStrike Beacon Configuration:

Field

Value

Description

BeaconType

HTTPS

Type of communication protocol used by the beacon.

Port

443

Port number on which the communication is established.

SleepTime

83935 seconds or 24 hours

Time interval between beacon check-ins.

MaxGetSize

2807995

Maximum size of data that can be received in one request.

Jitter

44

Randomized time added to sleep interval for jitter.

MaxDNS

Not Found

Maximum size of DNS request.

C2Server

- nanopeb.com,/sub/access/PQODJO5X45JC

List of C2 servers and their associated paths.

 

- coldfusioncnc.com,/sub/access/PQODJO5X45JC

 

UserAgent

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9

User-Agent string used in HTTP requests.

HttpPostUri

/inquiry/webcart/NPDTA4HJGYF2

URI for HTTP POST requests.

Malleable_C2_Instructions

- Remove 7449 bytes from the end

Instructions for manipulating C2 communication.

 

- Remove 4338 bytes from the beginning

See description below

 

- Base64 URL-safe decode

 
 

- XOR mask w/ random key

 

HttpGet_Metadata

Not Found

Additional metadata included in HTTP GET requests.

HttpPost_Metadata

Not Found

Additional metadata included in HTTP POST requests.

SpawnTo

b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

Process to spawn into.

PipeName

Not Found

Named pipe used for communication.

DNS_Idle

Not Found

Time interval for DNS queries when system is idle.

DNS_Sleep

Not Found

Time interval for DNS queries during normal operation.

SSH_Host

Not Found

Hostname for SSH connection.

SSH_Port

Not Found

Port for SSH connection.

SSH_Username

Not Found

Username for SSH authentication.

SSH_Password_Plaintext

Not Found

Plaintext password for SSH authentication.

SSH_Password_Pubkey

Not Found

Public key for SSH authentication.

HttpGet_Verb

GET

HTTP method used in GET requests.

HttpPost_Verb

POST

HTTP method used in POST requests.

HttpPostChunk

0

Size of chunks for HTTP POST requests.

Spawnto_x86

%windir%\syswow64\systray.exe

Path to execute payload on x86 systems.

Spawnto_x64

%windir%\sysnative\svchost.exe -k netsvc

Path to execute payload on x64 systems.

CryptoScheme

0

Encryption scheme used for communication.

Proxy_Config

Not Found

Configuration for proxy server.

Proxy_User

Not Found

Username for proxy server authentication.

Proxy_Password

Not Found

Password for proxy server authentication.

Proxy_Behavior

Use IE settings

Behavior regarding proxy usage.

Watermark

1357776117

Watermark for identifying the beacon.

bStageCleanup

True

Flag indicating whether cleanup is needed after stage.

bCFGCaution

False

Flag indicating caution for CFG memory protection.

KillDate

0

Date to kill the beacon if configured.

bProcInject_StartRWX

False

Flag indicating whether to start RWX memory for injection.

bProcInject_UseRWX

False

Flag indicating whether to use RWX memory injection.

bProcInject_MinAllocSize

15585

Minimum size for memory allocation during injection.

ProcInject_PrependAppend_x86

- b'f\x0f\x1f\x84\x00\x00\x00\x00\x00PXPX\x0f\x1f\x84\x00\x00\x00\x00\x00PX\x0f{TRUNCATED}'

Code to prepend/append for x86 process injection.

 

- b'f\x0f\x1fD\x00\x00f\x0f\x1fD\x00\x00\x90\x0f\x1f@\x00\x0f\x1f\x80\x00\x00\x00\x00'

See description below

ProcInject_PrependAppend_x64

- b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f@\x00f\x90f{TRUNCATED}'

Code to prepend/append for x64 process injection.

 

- b'\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1fD{TRUNCATED}'

See description below

ProcInject_Execute

- ntdll:RtlUserThreadStart

Methods of execution for process injection.

 

- CreateThread

 
 

- NtQueueApcThread

 
 

- CreateRemoteThread

 
 

- RtlCreateUserThread

 

ProcInject_AllocationMethod

VirtualAllocEx

Method used for memory allocation during injection.

bUsesCookies

True

Flag indicating whether beacon uses cookies.

HostHeader

 

Host header used in HTTP requests.

Latest SpiderLabs Blogs

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More