A recently identified backdoor is distributed using a multi-stage attack chain involving infected WordPress websites, cybersecurity firm G Data CyberDefense reports.
Dubbed BadSpace and initially identified in late May, the backdoor is distributed using a mechanism that resembles that of SocGholish, a malware family previously linked to the Russia-based Evil Corp cybercrime group and to the initial access broker (IAB) Exotic Lily.
The BadSpace delivery chain, G Data explains, starts when the victim accesses an infected website, which sets a cookie to track users’ visits.
At the first visit, the malicious code constructs a URL using device information as parameters, then sends a request to the URL, which overwrites the initially accessed page to trigger the malware deployment.
In some cases, the user is shown a fake browser update notification, and a JavaScript downloader is executed to deploy the BadSpace backdoor.
Security researchers have identified at least three domains that serve as command-and-control (C&C) servers and deliver the fake update JavaScript code based on the visitor’s IP and browser version.
The JavaScript file, which employs various obfuscation techniques, contains a function to construct a PowerShell downloader that silently fetches the BadSpace backdoor and executes it using rundll32.exe.
BadSpace employs multiple anti-sandbox techniques, such as checking the number of folders in the Temp directory, checking the number of times DisplayName appears as a subkey in a registry key, and checking the number of processors and the memory status.
It then sets persistence by creating a scheduled task and self-copying, and establishes C&C communication by sending a cookie containing system information and an RC4 key used to encrypt traffic.
The malware supports seven different commands, to query system information, take screenshots, execute commands in command prompt, read and write files, and delete the scheduled task used for persistence.
Related: ‘NsaRescueAngel’ Backdoor Account Again Discovered in Zyxel Products
Related: Critical WordPress Plugin Flaws Exploited to Inject Malicious Scripts and Backdoors
Related: JAVS Courtroom Audio-Visual Software Installer Serves Backdoor
Related: Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors
