June 17, 2024 at 03:00AM
Legitimate-but-compromised websites are being used to distribute a Windows backdoor called BadSpace via fake browser updates. The attack involves infected websites, a command-and-control server, fake browser updates, and a JScript downloader. This backdoor, capable of anti-sandbox checks and system information harvesting, is being distributed through compromised sites.
Key Takeaways from the Meeting Notes:
1. Cybersecurity company G DATA reported on a Windows backdoor malware named BadSpace, which is being distributed through compromised websites disguised as fake browser updates.
2. The attack involves an infected website, a command-and-control server, fake browser update pop-ups, and a JScript downloader to deploy the backdoor into victims’ systems.
3. Compromised websites, including those built on WordPress, inject code to collect user information and transmit it to a hard-coded domain, which then overlays the web page with a fake Google Chrome update pop-up to deliver the malware.
4. BadSpace employs anti-sandbox checks, sets up persistence using scheduled tasks, and is capable of harvesting system information, taking screenshots, executing instructions, and more.
5. The malware campaign has connections to another known malware called SocGholish (aka FakeUpdates).
6. Both eSentire and Sucuri have warned about different campaigns using similar bogus browser update lures to distribute information stealers and remote access trojans.
Overall, the meeting notes highlight the sophisticated nature of the BadSpace malware campaign and the need for vigilance against similar attacks leveraging fake browser updates on compromised websites.