Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor
Legitimate-but-compromised websites are being used as a medium to deliver a Windows backdoor dubbed BadSpace under the disguise of fake browser updates. “The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim’s system,” German cybersecurity company G DATA said in a report. Details of the malware were first shared by researchers kevross33 and Gi7w0rm last month. It all starts with a compromised website, including those built on WordPress, to inject code that incorporates logic to determine if a user has visited the site before. During the user’s first visit, the code collects information about the device, IP address, user-agent, and location, and transmits it to a hard-coded domain via an HTTP GET request.
ATTACK OVERVIEW:
The response from the server subsequently overlays the contents of the web page with a phony Google Chrome update pop-up window to either directly drop the malware or a JavaScript downloader that, in turn, downloads and executes BadSpace. An analysis of the C2 servers used in the campaign has uncovered connections to a known malware called SocGholish (aka FakeUpdates), a JavaScript-based downloader malware that’s propagated via the same mechanism. BadSpace, in addition to employing anti-sandbox checks and setting up persistence using scheduled tasks, is capable of harvesting system information and processing commands that allow it to take screenshots, execute instructions using cmd.exe, read and write files, and delete the scheduled task. The disclosure comes as both eSentire and Sucuri have warned different campaigns leveraging bogus browser update lures in compromised sites to distribute information stealers and remote access Trojans. This has led to heavy exploitation and threat to a large number of users using computers.
SocGholish (FakeUpdates):
SocGholish is a malware family that leverages drive-by-downloads masquerading as software updates for initial access. Active since at least April 2018, SocGholish has been linked to the suspected Russian cybercrime group Evil Corp. As in past years, Red Canary observed SocGholish impacting a wide variety of industry verticals in 2023. Similar to the spike in activity we observed in February 2022, in 2023 SocGholish was most active in March, suggesting a trend of increased targeting in the first quarter of the year. For the rest of the year, SocGholish maintained a relatively stable background volume, typically affecting about 0.5 percent of Red Canary-monitored environments each month. Also known as FakeUpdates, SocGholish typically gains initial access by presenting visitors a compromised website with a lure indicating an update is needed for their browser or other common software. Unsuspecting users who download the “update” are tricked into running a malicious JavaScript payload, launching the attack. Historically SocGholish wrapped this JavaScript (JS) payload within a ZIP file, however, since late 2022 the JS payload has been delivered directly without the ZIP cover in a majority of cases.
BadSpace BACKDOOR MALWARE:
On May 19th, threat intelligence analyst Gi7w0rm alerted the cybersecurity community about a new backdoor, “BadSpace,” discovered by researcher @kevross33. Collaborative research identified a multi-stage attack chain involving an infected website, a command and control (C2) server, sometimes a fake browser update, and a JScript downloader to deploy the backdoor. BadSpace is delivered via infected websites that set a cookie to track first-time visitors. It constructs a URL with device information and sends a GET request, overwriting the original webpage with a malicious payload unless an error occurs. Infected sites tend to be WordPress sites that inject malicious code into JavaScript libraries or index pages. Acquired JScript files drop and run BadSpace, sometimes using extension spoofing like “.pdf.js”. Some websites show a fake Google Chrome update window that downloads the backdoor or JScript. The C2 domains used are associated with the SocGholish threat actor known for using fake updates and JS files. This attack shares similarities with SocGholish’s delivery methods for backdoors. The JScript file has three functions and an array of strings that utilize obfuscation techniques. Most variables are left undeclared to make things a bit more complicated. The third function, which is also obfuscated using the JavaScript Compressor, builds a PowerShell downloader that downloads and runs BadSpace backdoor silently in rundll32.exe after 10 seconds. BadSpace is a sample of obfuscated PE32+ DLL with RC4-encrypted strings, DLL names, and API function names. Each string has its length, a key, and encrypted data. APIs are dynamically resolved by LoadLibraryW and GetProcAddress.
HOW BACKDOORS ARE IMPLEMENTED?
The process of implementing a backdoor attack typically involves several steps. The attackers must first identify vulnerabilities in the target system or network. Once these vulnerabilities are identified, attackers can exploit them to gain access to the system or network. Once attackers gain access, they can establish a covert channel to bypass normal security measures. Such backdoors are used to launch further attacks or collect sensitive information. The attackers may also use the backdoor to establish long-term access to the system or network. The existence of built-in backdoors or default passwords within software or hardware products can be a weak point, making them vulnerable to attacks. While built-in backdoors can sometimes serve legitimate purposes, their misuse or compromise can lead to unauthorized access. Attackers may use default passwords that are still in use or are well known to gain unauthorized access to and control over systems or devices. Due to their widespread use and the valuable personal data they store, backdoor attacks target mobile devices like smartphones and tablets. Attackers may exploit vulnerabilities in mobile operating systems, applications, or third-party software to gain unauthorized access to devices, compromising sensitive information, including contacts, messages, photos, and more.
THE DANGER OF BACKDOOR ATTACKS:
Backdoor attacks pose a significant threat to organizations of all sizes. These attacks involve the use of hidden or unauthorized access points that allow attackers to bypass normal security measures and gain access to sensitive data or systems. While backdoor attacks can take many forms, they all share a common goal: to gain unauthorized access to a system or network.
- Data Theft and Espionage: One of the most significant dangers of a backdoor attack is the potential for sensitive data theft. Because the attackers can bypass normal security measures, they may be able to access and steal data that would normally be protected.
- System Compromise and Control: Another danger of backdoor attacks is that the attackers may gain control over the affected system or network. This could involve creating new user accounts, modifying system settings, launching malware attacks, or executing other malicious activities that could compromise the security and integrity of the system. For instance, a backdoor attack on a government agency could result in the attackers gaining control over critical systems, such as those used for national defense or law enforcement. This could have serious consequences, including the loss of classified information or the disruption of essential services.
- Malware Distribution: Backdoor attacks often involve the use of spyware or malware. Spyware, a type of malicious software, is designed to gather sensitive information without the user’s knowledge or consent. It can monitor keystrokes, capture screenshots, access personal data, and even record audio or video. Backdoors exploited by spyware can compromise personal data, including financial information, login credentials, or confidential documents. Cybercriminals commonly use malware to install backdoors, giving them remote administrative access to a system. Once an attacker has access to a system through a backdoor, they can potentially modify files, steal personal information, install unwanted software, and even take control of the entire computer.
OTHER TYPES OF BACKDOOR ATTACKS:
- Cryptojacking: It occurs when a victim’s computing resources are hijacked to mine cryptocurrency. Cryptojackingattacks target all sorts of devices and systems.
- DoS attacks: It overwhelm servers, systems and networks with unauthorized traffic so that legitimate users can’t access them.
- Ransomware: It is malware that prevents users from accessing a systemand the files it contains. Attackers usually demand payment of a ransom for the resources to be unlocked.
- Spyware: It is malware that steals sensitive informationand relays it to other users without the information owner’s knowledge. It can steal credit card numbers, account login data and location information. Keyloggers are a form of spyware used to record a user’s keystrokes and steal passwords and other sensitive data.
- Trojan horse: It is a malicious program that’s often installed through a backdoor and appears harmless. A backdoor Trojan includes a backdoor that enables remote administrative control of a targeted system.
- Federated learning:This decentralized method of machine learning trains models locally on edge devices, as opposed to collecting data and training it in a centralized location. Edge devices have limited communication with the centralized servers. This lets threat actors poison a training data set and embed a backdoor on the central server when it does communicate with the edge device.
- Hardware: Attackers use modified chips, processors, hard drives and USBs to create backdoors.
- Internet of things (IoT):Components of these systems, such as security cameras, drones and smart thermostats, can act as backdoors and turn into security vulnerabilities. IoT devices often come equipped with default passwords that function as a backdoor. Administrators often don’t change them, and hackers can easily guess them.
REMEDIATION STEPS:
- Developing and enforcing a strong network monitoring policy is also essential for preventing backdoors: Make sure you audit security solutions, update and patch the network daily, monitor the network, and implement a zero-trust policy protected by multi-factor authentication protection.
- Change Company Passwords and Monitor: This helps in maintaining a strict policy around the system. Default passwords in place unwittingly create backdoors in the organization’s systems.
- Use Firewalls and Download with care online: A strong firewall can help protect you against attacks like backdoor viruses and block any suspicious applications trying to send your sensitive data to an unknown network location.
- Update your OS and software at-service: It is necessary to take this initiative as updated resources can fight the attack attempts in a better way.
- Stop accessing unauthorized and unverified websites/content over the internet: A user should refrain from doing such acts and also, he/she should take extra precautions while accessing free websites/software. Such places are a hub for viruses and ill-intended content and can cause serious damage to your system.
- Setting up of an anti-malware program: It is useful to keep malicious content at bay. t will automatically detect and eliminate dangers like viruses, malware, Trojans, and so on and keep the system protected. As everything happens automatically, not much effort is required.
- Implementing a solution to detect untrusted software on endpoints: Flexible work models are the new norm. With endpoint management, IT administrators can quickly enroll and configure devices, manage cybersecurity, set up automation and integrate with productivity and third party apps, regardless of the operating system, device or workspace.