In a recent crimeware report, Kaspersky experts described AdvancedIPSpyware, a backdoored version of legitimate Advanced IP Scanner tool used by network admins to control local area networks (LANs).
The malicious tool affected a broad audience with victims in Latin America, Africa, Western Europe, South Asia, Australia as well as CIS countries.
Adding malicious code to benign software in order to hide its harmful activity and trick the user is a technique that has become increasingly common.
What hasn’t been seen as often is that the backdoored binary is actually signed. This is precisely the case of AdvancedIPSpyware, which is a backdoored version of legitimate Advanced IP Scanner tool used by network admins to control LANs.
The certificate with which the malware was signed was most likely stolen. The malware was hosted on two sites, whose domains are almost identical to the legitimate Advanced IP Scanner website, differing only by one the letter. Furthermore, the websites look the same. The only difference is the “free download” button on the malicious websites.
Another uncommon feature of AdvancedIPSpyware is that the architecture is modular. Typically, modular architecture is seen with nation-state sponsored malware, not with the criminal type. However, in this case the attacks were not targeted, that drives at the conclusion that AdvancedIPSpyware does not refer to any politically motivated campaigns.
The AdvancedIPSpyware campaign has a broad victimology with affected users in Latin America, Africa, Western Europe, South Asia, Australia as well as CIS countries. The overall count of victims infected over the whole course of the campaign is about 80.
Besides AdvancedIPSpyware, the crimeware report published on Securelist includes the following findings:
* BlackBasta, a ransomware group uncovered earlier in July 2022, added functionality that makes forensics and detection more difficult, as the malware can now propagate through the network itself.
* The researchers witnessed new features of CLoader, a stealer first discovered in April 2022. It used cracked games and software as bait to trick users into installing the malware. The downloaded files were NSIS installers, containing malicious code in the installation script.
* In August 2022, a campaign was discovered that has been active since at least January 2022 and focuses on Chinese-speaking individuals. On a popular Chinese-language YouTube channel, focused on Internet anonymity, a video was uploaded giving instructions on how to install the Tor browser. This itself is not that odd as the Tor browser is blocked in China. However, if a user clicks on the link in the description, instead of the benign Tor browser, an infected version of the Tor browser is downloaded.
“Email is the most common infection method used by both cybercriminals and nation states. This time we took a look at less common techniques employed by cybercriminals – both well-know and that have been stayed out of sight. Namely, the AdvancedIPSpyware stands out for its unusual architecture, usage of legitimate tool, and almost identical copy of the legitimate website,” comments Jornt van der Wiel, a security expert at Kaspersky.