Analyzing a Malicious Advanced IP Scanner Google Ad Redirection
Titles Are Hard.
Before we begin I would like to thank my colleague Jai Minton for digging into this with me. Check out his blog: https://www.jaiminton.com/
So you found yourself responding to an alert about one of your employees downloading a malicious version of Advanced IP Scanner and you wanted to take a deeper dive and maybe grab the file for yourself but you found yourself dealing with some issues:
- The employee deleted the downloaded file
- The URL they clicked redirects to the REAL Advance IP Scanner website
- Trying to get the ad to pop up in google searches so you can grab it yourself just isn’t working. (Can’t even get hacked when you’re trying to.)
I was just dealing with this exact scenario and the method I chose to use was to trick the site into thinking I was coming from a google ad click. (We will illustrate later how this wasn’t even necessary and I thought way too hard (in this case) but it was fun anyway!)
The site we are dealing with in this scenario is hxxps://advanced[.]ip-scanner[.]co. (Please don’t, and if you do, don’t blame me lol).
Let’s just… go to the site! What’s the worst that could happen!?
In my case, I get redirected to the real website:
Okay, well, what if I try to google it? Maybe I can get the ad to show?
Nope, in this case I get the legitimate site. (please note, previous malvertising campaigns were able to spoof the URL that was shown on the ad, but I confirmed this one by visiting the site.)
Alright, well that’s annoying. How can I trick the site into thinking I came from a google ad? Well my first thought was to see what happens when I click an ad on a real site.
In this case I opened up the browser’s developer pane with F12, clicked on the network tab, and went back to the legitimate advanced-ip-scanner.com via the ad-click.
After some aimless poking and prodding, I discovered the top result is the one we want to explore some more. So let’s click on this result and take a look at what we got.
If we scroll down to Request Headers we can see this line:
… I swear if that is all that’s needed I’m gonna snap. Okay let’s head over to Postman and give it a shot.
In postman I want to create a new GET request and I want to append a Referer header with the value https://www.google.com/.
This should work, right? … right? Let’s hit Send.
Hey! That’s a thing! You’ll see some references in the screenshot to advanced-ip-scanner.com but that’s because the threat-actors straight up cloned the site. If we connect with and without the referrer, there are slight differences in the resulting pages.
So at this point I want to find the download. So I’m going to just Ctrl+F the word download.
Lo and behold! Let’s try to visit that directory.
Boom! That’s a thing!
Now before we investigate a bit, remember when I said this?
“(We will illustrate later how this wasn’t even necessary and I thought way too hard…”
Well, turns out only the main page advanced[.]ip-scanner[.]co redirects if you have the incorrect referer. All I had to do was append /download and it would let me see the open directory with or without the referrer header. But, hey, hindsight is 20/20 or something.
But let’s poke around a bit! I find that ipscanner.txt to be interesting so let’s check that out.
It might not be immediately obvious, but this is incredibly interesting to me because that looks like Base64. Let’s decode that. Off to Cyberchef!
Okay, now THAT’S interesting. That is an executable. We could download this a few different ways. We could click the save output button in cyberchef and save that as a .exe and we would have our malicious executable, but I want to illustrate another way.
I am going to download the raw base64 into my VM as a .txt file and use certutil to decode it using certutil -decode source dest.
Boom, we got it. I also did use Get-FileHash to compare this against the hash originally referenced in the alert that triggered all of this and it is the same.
Okay but what about the other links shown in the /download directory?
Well, as it turns out we are working too hard yet again lol.
If we clicked the apps2co.php link on this page, it serves up the decoded .exe and if I check that hash against the original hash from the alert and the hash of my decoded .exe we get the same hash.
At this point we will not be going any further because then this would turn into a blog on static and dynamic malware analysis. (Don’t worry, one is coming.)
I hope you found reading this as enjoyable as it was for me to dig into this.
Cheers! ^_^
