Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor
Jun 17, 2024
Web Security / Malware
Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates. "The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system," German cybersecurity company G DATA said in a report. Details of the malware were first shared by researchers kevross33 and Gi7w0rm last month. It all starts with a compromised website, including those built on WordPress, to inject code that incorporates logic to determine if a user has visited the site before. Should it be the user's first visit, the code collects information about the device, IP address, user-agent, and location, and transmits it to a hard-coded domain via an HTTP GET request. The response from the server subsequently overlays the contents of the web page with a ph...