Threat actors have exploited hacked high-ranking legitimate websites to enable BadSpace malware backdoor distribution on Windows machines. The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases, a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system. BadSpace is a backdoor Trojan that secretly installs itself on a computer, giving cybercriminals remote access and control. It can steal personal information, monitor activities, and install malicious software. The malware is heavily obfuscated and uses RC4 encryption for strings and API calls.[1]
It begins with a compromised website, including those built on WordPress, to inject code that incorporates logic to determine if a user has visited the site before. Should it be the user's first visit, the code collects information about the device, IP address, user agent, and location and transmits it to a hard-coded domain via an HTTP GET request.
The server's response subsequently overlays the web page's contents with a fake Google Chrome update pop-up window to either directly drop the malware or a JavaScript downloader that, in turn, downloads and executes BadSpace. An analysis of the C2 servers used in the campaign has found connections to a known malware called SocGholish (aka FakeUpdates), a JavaScript-based downloader malware propagated via the same mechanism.
See: https://redskyalliance.org/xindustry/news-websites-deliver-socgholish
In addition to employing anti-sandbox checks and setting up persistence using scheduled tasks, BadSpace can harvest system information and processing commands that allow it to take screenshots, execute instructions using cmd.exe, read and write files, and delete the scheduled task. The disclosure comes as security researchers have warned about different campaigns leveraging bogus browser update lures in compromised sites to distribute data stealers and remote access trojans.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Our services can help detect cyber threats and vulnerabilities. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.cybersecurityintelligence.com/blog/hackers-use-windows-backdoor-to-deliver-badspace--7739.html
Comments