Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor

June 6, 2024, 12:36 p.m.

Description

Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer injected a CobaltStrike beacon, a powerful remote access tool often used by threat actors, into a newly created process. This allowed the attackers to maintain control over the compromised system and potentially move laterally within the network.

External References

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/fake-advanced-ip-scanner-installer-delivers-dangerous-cobaltstrike-backdoor/
https://otx.alienvault.com/pulse/6661ab4514e403bb06e14941
Tags
backdoor
supply-chain
typosquatting
2024-06-06
cobaltstrike
malicious-installer

Date

  • Created: June 6, 2024, 12:27 p.m.
  • Published: June 6, 2024, 12:27 p.m.
  • Modified: June 6, 2024, 12:36 p.m.

Indicators

  • fef06c28ae5a65672c31076b062e33cfaeb2b90309444f6567877f22997bc711
  • 9a0c600669772bc530fe07c2dbb23dbb4808c640d016ffb832460ed25d2bb49e
  • 248f3df68651214cfc1645792f685f8ac15db8f86978cfd3b181d618ccf03bc4
  • www.advancced-ip-scaner.com
  • nanopeb.com
  • coldfusioncnc.com
  • advanced-ip.org
  • advnaced-ip-skanner.top
  • advanced-ip-scanner.link
  • advancced-ip-scanner.com
  • adlvanced-ip-scanner.com
Download all indicators here!

Attack Patterns

  • CobaltStrike
  • T1195.002
  • T1185
  • T1574
  • T1105
  • T1083
  • T1055
  • T1036
  • T1053
  • T1195
  • T1190
  • T1059