Priya PatelTLDR:
BadSpace malware is actively attacking users by leveraging high-ranking infected websites. It uses multiple stages of attack, including a backdoor, command and control server, fake browser updates, and JScript downloader. The malware is delivered through infected websites, primarily targeting WordPress sites. BadSpace employs anti-sandbox measures and uses a hardcoded RC4 key for encrypting its communication. Security analysts have created scripts to decrypt the malware’s strings and APIs for further analysis.
Full Article:
Hackers are exploiting high-ranking infected websites to spread BadSpace malware and launch phishing attacks, taking advantage of their established credibility and large user base. GData Software cybersecurity analysts have identified this malware, which was discovered by threat intelligence analyst Gi7w0rm on May 19th.
BadSpace is delivered through infected websites that track first-time visitors and use cookies to send malicious payloads. These websites, often WordPress sites, inject malicious code into JavaScript libraries or index pages to deploy the backdoor. The malware is spread through a multi-stage attack chain involving a C2 server, fake browser updates, and JScript downloaders.
The JScript files used in the attack have obfuscated strings and APIs, making it more difficult to detect and analyze the malware. The backdoor uses a hardcoded RC4 key to encrypt its communication, with different keys for each sample. It also employs anti-sandbox measures to evade detection.
Security researchers have developed Python scripts to decode the strings and APIs used by BadSpace for further analysis. The malware creates a mutex with a unique UUID after anti-sandbox checks, ensuring persistence on the infected system.
Overall, BadSpace malware poses a serious threat to users by leveraging high-ranking infected websites to spread malicious payloads. Its complex delivery chain and anti-sandbox measures make it difficult to detect and analyze, highlighting the need for robust cybersecurity measures to protect against such attacks.
