Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

            Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates. The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system.

            German cybersecurity company G DATA said in a report. It all starts with a compromised website, including those built on WordPress, to inject code that incorporates logic to determine if a user has visited the site before. Should it be the user's first visit, the code collects information about the device, IP address, user-agent, and location, and transmits it to a hard-coded domain via an HTTP GET request. 

            An analysis of the C2 servers used in the campaign has uncovered connections to a known malware called SocGholish (aka FakeUpdates), a JavaScript-based downloader malware that's propagated via the same mechanism.

Reference: Hacker news.