NSA shares tips on blocking BlackLotus UEFI malware attacks

BadSpace Malware Attacking Users By Leveraging High-Ranking Infected Websites

Hackers abuse high-ranking infected websites to leverage their established credibility and large user base to spread malware, launch phishing attacks, or redirect traffic to malicious sites.

While exploiting such trusted infected platforms they can now reach out to larger audiences, increase the efficiency of their attacks, and escape from being caught for a longer period of time through this way.

Cybersecurity analysts at GData Software recently identified that BadSpace malware has been actively attacking users by leveraging high-ranking infected websites.

BadSpace Malware Attacking Users

On May 19th, threat intelligence analyst Gi7w0rm alerted the cybersecurity community about a new backdoor, “BadSpace,” discovered by researcher @kevross33.

Collaborative research identified a multi-stage attack chain involving an infected website, a command and control (C2) server, sometimes a fake browser update, and a JScript downloader to deploy the backdoor.

BadSpace is delivered via infected websites that set a cookie to track first-time visitors.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

It constructs a URL with device information and sends a GET request, overwriting the original webpage with a malicious payload unless an error occurs.

Infected sites tend to be WordPress sites that inject malicious code into JavaScript libraries or index pages.

Acquired JScript files drop and run BadSpace, sometimes using extension spoofing like “.pdf.js”.

Infection chain (Source – GDATA Software)

Some websites show a fake Google Chrome update window that downloads the backdoor or JScript.

The C2 domains used are associated with the SocGholish threat actor known for using fake updates and JS files.

This attack shares similarities with SocGholish’s delivery methods for backdoors. The JScript file has three functions and an array of strings that utilize obfuscation techniques.

Most variables are left undeclared to make things a bit more complicated.

The third function, which is also obfuscated using the JavaScript Compressor, builds a PowerShell downloader that downloads and runs BadSpace backdoor silently in rundll32.exe after 10 seconds.

BadSpace is a sample of obfuscated PE32+ DLL with RC4-encrypted strings, DLL names, and API function names.

Each string has its length, a key, and encrypted data. APIs are dynamically resolved by LoadLibraryW and GetProcAddress.

IDA Python Script

A researcher has created an IDA Python script based on the OALabs Revil decryption script to decode strings and APIs in IDA.

In addition, a security analyst (Mohamed Ashraf) has provided another independent Python script for decrypting BadSpace strings.

BadSpace employs several anti-sandbox similarities, counting the number of folders in %TEMP% and %APPDATA%, querying the registry for “DisplayName” subkeys under SOFTWAREMicrosoftWindowsCurrentVersionUninstall, and checking the number of processors and global memory status.

Thresholds differ per sample, and after anti-sandbox checks, it creates a mutex with a unique UUID, which persists via scheduled task creation and self-copying for EXE or DLL files.

The backdoor uses a hardcoded RC4 key for encrypting C2 communication, which differs for each sample.

Its user agent is responsible for the “BadSpace” name, which includes extra spaces not found in Firefox user agents.

While “WarmCookie” appeared in one VirusTotal detection name, “BadSpace” was more prevalent in researcher discussions and on Twitter, leading to its adoption.

IoCs

Java Script (Web Infection)

[1] 2b4d7ed8d12d34cbf5d57811ce32f9072845f5274a2934221dd53421c7b8762b

[2] f3fed82131853a35ebb0060cb364c89f42f55e357099289ca22f7af651ee2c48

255cc818a2e11d7485c1e6cc1722b72c1429b899304881cf36c95ae65af2e566

JScript Droppers

[3] c64cb9e0740c17b2561eed963a4d9cf452e84f462d5004ddbd0e0c021a8fdabc

[4] 9786569f7c5e5183f98986b78b8e6d7afcad78329c9e61fb881d3d0960bc6a15

c7fc0661c1dabd6efd61eaf6c11f724c573bb70510e1345911bdb68197e598e7

2a311dd5902d8c6654f2b50f3656201f4ceb98c829678834edaeae5c50c316f5

0da87bff1a95de9fc7467b9894a8d8e0486dfd868c2c7305e83951babacde642

BadSpace

[5] 6a195e6111c9a4b8c874d51937b53cd5b4b78efc32f7bb255012d05087586d8f

2a5a12cc4ef2f0f527cc072243aa27d3e95e48402ef674e92c6709dc03a0836a

2a4451ef47b1f4b971539fb6916f7954f80a6735cf75333fa9d19b169c31de2e

9bc4c44b24f4ba71a1c7f5dd1c8135544218235ae58efa81898e55515938da6a

475edfbb2b03182ef7c42c1bc2cc4179b3060d882827029a6e67c045a0c1149b

676cbcaa74ee8e43abaf0a2767c7559a8f4a7c6720ecc5ae53101a16a3219b9a

770cafb3fe795c2f13eb44f0a6073b8fe4fb3ee08240b3243c747444592d85ff

84519a45da0535087202b576391d1952a4cc81213f0e470db65f1817b65ee9d7

a5f16fa960fe0461e2009bd748bc9057ef5cd31f05f48b12cfd7790fa741a24e

a725883bd1c39e48ab60b2c26b5692f7334a3e4544927057a9ffbdabfeedf432

ad2333e1403e3d8f5d9bd89d7178e85523fa7445e0a05b57fd9bc35547ec0d98

ba4c8be6a1eb92d79df396eea8658b778f4bc0f010da48e1d26e3fc55d83e9c7

b6ac7f6e3b03acd364123a07b2122d943c4111ac4786bb188d94eae0e5b22c02

bb74c6fc0323956dd140988372c412f8b32735fb0ed1ad416e367d29c06af9cc

c437e5caa4f644024014d40e62a5436c59046efc76c666ea3f83ab61df615314

C2

80.66.88.146

185.49.69.41

[6] uhsee[.]com

[7] kongtuke[.]com

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

The post BadSpace Malware Attacking Users By Leveraging High-Ranking Infected Websites appeared first on Cyber Security News.

Related

Related Posts