Compromised Websites Facilitate New Windows Backdoor Threat: BadSpace
Recent developments in cybersecurity have uncovered a concerning trend where legitimate but compromised websites are being exploited to deliver a malicious Windows backdoor known as BadSpace. This operation is particularly deceptive as it is presented under the guise of fictitious browser updates, misleading users and creating a pathway for intrusions into their systems.
According to a report by G DATA, a German cybersecurity firm, the attack chain is sophisticated, involving multiple stages that include an infected website, a command-and-control (C2) server, and in some instances, a false browser update along with a JavaScript downloader. The goal is to deploy the BadSpace backdoor onto the victim’s machine without raising immediate suspicion.
The initial phase of the attack typically begins with a compromised website, which can often include those built on WordPress. The attackers inject malicious code designed to identify whether a user is visiting for the first time. If it is a user’s inaugural visit, this code proceeds to collect critical information about the device, including the IP address, user-agent, and geographical location. This data is sent to a hard-coded domain via an HTTP GET request, laying the groundwork for the next steps of the attack.
The server’s response then triggers a fake Google Chrome update pop-up, which either directly installs the malware or a JavaScript downloader responsible for fetching and executing BadSpace. Investigations into the C2 servers involved in this campaign have revealed connections to SocGholish, a notorious JavaScript-based downloader malware that employs a similar distribution strategy.
Once installed, BadSpace exhibits capabilities consistent with advanced malware. It performs anti-sandbox checks, establishes persistence through scheduled tasks, and is adept at collecting system information. Moreover, it can process commands that allow it to take screenshots, execute shell commands, read and write files, and delete scheduled tasks, posing a significant risk to the security of affected systems.
This revelation aligns with broader concerns within the cybersecurity community, as entities like eSentire and Sucuri have reported on various campaigns using fraudulent browser update prompts in compromised websites to deploy information stealers and remote access trojans.
Identifying tactics potentially employed in these attacks reveals the use of several adversary techniques as defined by the MITRE ATT&CK framework. Techniques such as initial access through compromised websites, persistence via scheduled tasks, and privilege escalation may have been leveraged throughout the operation.
As these threats continue to evolve, it underscores the importance of maintaining robust cybersecurity measures and staying informed about the latest tactics employed by cybercriminals. Businesses must remain vigilant, employing technical safeguards and training to protect against such sophisticated attacks.