Legitimate websites that have been compromised are now being utilized as a means to distribute a Windows backdoor known as BadSpace through fake browser updates. According to a report from German cybersecurity company G DATA, threat actors are employing a multi-stage attack chain involving infected websites, command-and-control servers, fake browser updates, and a JScript downloader to deploy the backdoor onto victims' systems.
Multi-Stage Attack Chain
The malware details were initially shared by researchers kevross33 and Gi7w0rm last month. The process begins with a compromised website, including those built on WordPress, injecting code that checks if a user has visited the site before. If it's the user's first visit, the code collects device information and transmits it to a specific domain via an HTTP GET request.
Following this, the server response overlays the web page with a fake Google Chrome update pop-up window, which then drops the malware or a JavaScript downloader that downloads and executes BadSpace. Analysis of the campaign's C2 servers has revealed connections to SocGholish, a known malware propagated through similar methods.
Capabilities of BadSpace
BadSpace includes anti-sandbox measures and establishes persistence using scheduled tasks. It can gather system information, take screenshots, execute commands, read and write files, and delete scheduled tasks. eSentire and Sucuri have also warned of campaigns using fake browser updates on compromised sites to distribute information stealers and remote access trojans.
If you found this article intriguing, follow us on Twitter and LinkedIn for more exclusive content.