Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New BadSpace Backdoor Deployed in Drive-By Attacks

The BadSpace backdoor is being distributed via drive-by attacks involving infected websites and JavaScript downloaders.

A recently identified backdoor is distributed using a multi-stage attack chain involving infected WordPress websites, cybersecurity firm G Data CyberDefense reports.

Dubbed BadSpace and initially identified in late May, the backdoor is distributed using a mechanism that resembles that of SocGholish, a malware family previously linked to the Russia-based Evil Corp cybercrime group and to the initial access broker (IAB) Exotic Lily.

The BadSpace delivery chain, G Data explains, starts when the victim accesses an infected website, which sets a cookie to track users’ visits.

At the first visit, the malicious code constructs a URL using device information as parameters, then sends a request to the URL, which overwrites the initially accessed page to trigger the malware deployment.

In some cases, the user is shown a fake browser update notification, and a JavaScript downloader is executed to deploy the BadSpace backdoor.

Security researchers have identified at least three domains that serve as command-and-control (C&C) servers and deliver the fake update JavaScript code based on the visitor’s IP and browser version.

The JavaScript file, which employs various obfuscation techniques, contains a function to construct a PowerShell downloader that silently fetches the BadSpace backdoor and executes it using rundll32.exe.

BadSpace employs multiple anti-sandbox techniques, such as checking the number of folders in the Temp directory, checking the number of times DisplayName appears as a subkey in a registry key, and checking the number of processors and the memory status.

Advertisement. Scroll to continue reading.

It then sets persistence by creating a scheduled task and self-copying, and establishes C&C communication by sending a cookie containing system information and an RC4 key used to encrypt traffic.

The malware supports seven different commands, to query system information, take screenshots, execute commands in command prompt, read and write files, and delete the scheduled task used for persistence.

Related: ‘NsaRescueAngel’ Backdoor Account Again Discovered in Zyxel Products

Related: Critical WordPress Plugin Flaws Exploited to Inject Malicious Scripts and Backdoors

Related: JAVS Courtroom Audio-Visual Software Installer Serves Backdoor

Related: Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Teresa Anania joins Sophos as the company's new Chief Customer Officer.

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

More People On The Move

Expert Insights