Hackers are leveraging legitimate-but-compromised websites to deploy a Windows backdoor called BadSpace, disguising it as fake browser updates.
According to the report, the attackers use a multi-stage approach involving an infected website, a command-and-control (C2) server, a fake browser update, and a JScript downloader to install the backdoor on the victim’s system.
The details of the malware were initially shared by researchers kevross33 and Gi7w0rm last month.
The attack begins with a compromised website, including those built on WordPress, which injects code to determine if a user is visiting for the first time. For first-time visitors, the code collects device information, IP address, user-agent, and location, and sends it to a predetermined domain via an HTTP GET request.
The server’s response then overlays the webpage with a fake Google Chrome update pop-up. This pop-up either directly drops the malware or a JavaScript downloader, which subsequently downloads and executes BadSpace.
An analysis of the C2 servers involved in this campaign has revealed connections to the SocGholish malware (also known as FakeUpdates), a JavaScript-based downloader spread via similar methods.
BadSpace is equipped with features like anti-sandbox checks, setting up persistence using scheduled tasks, and capabilities to harvest system information. It can process commands to take screenshots, execute instructions via cmd.exe, read and write files, and delete the scheduled task.
This disclosure follows warnings from eSentire and Sucuri about different campaigns using fake browser update lures on compromised sites to distribute information stealers and remote access trojans.
To prevent falling victim to the BadSpace Windows backdoor, ensure your software is always up-to-date from official sources. Avoid downloading updates from pop-ups or untrusted websites. Utilize reputable antivirus and anti-malware programs to detect and block malicious activities.
Regularly back up your data and maintain strong security practices, such as using complex passwords and enabling multi-factor authentication (MFA). Be cautious when visiting unfamiliar websites and consider using browser security extensions to block potentially harmful scripts.