Threat actors have developed a backdoored version of the legitimate network scanning tool Advanced IP Scanner. Named AdvancedIPSpyware, the tool has already infected more than 80 organizations.
About AdvancedIPSpyware
Advanced IP Scanner is usually used by network admins to monitor an organization’s network. However, threat actors created a malicious version of this tool containing a secret backdoor entry for malicious operations.
This malicious software was hosted on two websites created using typosquatted domains, that were identical to the legitimate domain hosting Advanced IP Scanner.
The backdoored binary was further signed with a genuine certificate, which appears most likely stolen from a genuine vendor.
Since the genuine tool uses anonymization, it is difficult to locate the organizations using the infected version of this tool.
The victims
AdvancedIPSpyware has already infected more than 80 organizations across the world in Latin America, Western Europe, South Asia, Africa, and the Commonwealth of Independent States (CIS).
Modular architecture
This malware is developed with a modular architecture, which is a typical pattern used by nation-state attackers. However, the selection of targeted organizations indicates that this malware campaign is not politically motivated. It broadly comprises three modules:
Main module: The core module that updates or deletes the malware itself, or creates new instances of itself.
Command execution module: This module comprises spyware-related functionalities, including information gathering, command execution, and others.
Network communication module: This part handles network-related functionality, such as sending heartbeat messages.
Ending notes
Backdoor malware with a signed certificate is a rare incident but a potential one. Moreover, the use of modular architecture in AdvancedIPSpyware further indicates that malware developers are continuously innovating tactics to cover new grounds. If unlucky, it is only a matter of time before you fall victim to the shape-shifting arrays of attacks. Ever considered using or being a part of threat intel sharing platform? It boosts overall situational awareness and facilitates the organization to have a better defense system needed for thwarting emerging threats.