Executive Summary
BadSpace, also known as WarmCookie, is a novel backdoor delivered via a multistage attack leveraging infected websites.
Key Takeaways
- BadSpace, also known as WarmCookie, is a novel backdoor delivered via a multistage attack leveraging infected websites.
- The threat actors behind BadSpace often infect WordPress sites and inject the malicious code into the index page or into the JavaScript libraries.
- In some cases, the website shows a window with a fake Google Chrome update that drops the malware file or JScript file onto the victim machine.
- Infrastructure and TTPs used appear to overlap with that of SocGholish.
What is BadSpace?
BadSpace, also known as WarmCookie, is a novel backdoor delivered via a multistage attack leveraging infected websites. G DATA recently reported on BadSpace.
The threat actors behind BadSpace are using legitimate but compromised websites to deliver the malware. When a user visits one of the infected websites, the site sets a cookie to track if the user has visited the page before. If the visit is the user’s first, a URL is constructed with query parameters including the device type, IP, referrer, user agent, domain, and location. The code on the site then sends a GET request to the URL. The response is a payload.
The threat actors behind BadSpace often infect WordPress sites and inject the malicious code into the index page or into the JavaScript libraries. In some cases, the website shows a window with a fake Google Chrome update that drops the malicious file or JScript file onto the victim machine.
The JScript file goes through a multi-step de-obfuscation process before ultimately constructing a PowerShell downloader. The PowerShell code then downloads BadSpace, and after a ten second pause, executes the file using rundll32.exe.
BadSpace, which targets Windows devices, is an obfuscated PE32+ DLL that is not packed. It has several features that point to at least a mild degree of sophistication, including persistence and anti-sandboxing capabilities. When BadSpace initially communicates with the C2, it sends a cookie containing encrypted information about the victim machine. This information includes the machine name, DNS domain, OS version, username, and an RC4 key that is hard coded and unique for each sample. The hardcoded RC4 key is used to encrypt C2 communication. BadSpace has basic functionality for interacting with the victim machine, including but not limited to the ability to take a screenshot, execute cmd command, read and write files, and delete scheduled task persistence.
G DATA noted the C2 used in these attacks has also been used by SocGholish. Additionally, the use of fake updates and JS files are known SocGholish TTPs.
IOCs
PolySwarm has multiple samples associated with this activity.
c64cb9e0740c17b2561eed963a4d9cf452e84f462d5004ddbd0e0c021a8fdabc
c7fc0661c1dabd6efd61eaf6c11f724c573bb70510e1345911bdb68197e598e7
2a311dd5902d8c6654f2b50f3656201f4ceb98c829678834edaeae5c50c316f5
6a195e6111c9a4b8c874d51937b53cd5b4b78efc32f7bb255012d05087586d8f
9bc4c44b24f4ba71a1c7f5dd1c8135544218235ae58efa81898e55515938da6a
a5f16fa960fe0461e2009bd748bc9057ef5cd31f05f48b12cfd7790fa741a24e
c437e5caa4f644024014d40e62a5436c59046efc76c666ea3f83ab61df615314
You can use the following CLI command to search for all BadSpace samples in our portal:
$ polyswarm link list -f BadSpace
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
