Hacker spreads BadSpace backdoor through hacked websites

G Data specialists told about a recently discovered backdoor that spreads through a multi-stage attack chain involving hacked and infected sites running WordPress.

The backdoor, dubbed BadSpace and discovered in late May, spreads using a mechanism reminiscent of SocGholish attacks (malware that has previously been linked to the Russian-language hack group Evil Corp and access seller Exotic Lily).


Thus, the chain of BadSpace attacks begins with the victim visiting an infected website that uses cookies to track visitors. If this is the user's first visit, the code collects information about their device, IP address, user-agent and location and passes it to the hard-coded domain via an HTTP GET request.

After the server responds, the content of the originally open web page is blocked, which leads to the deployment of malware. In some cases, this will show the user a fake browser update notification, after which the JavaScript loader will be triggered to deploy the BadSpace backdoor.

Researchers have identified at least three domains that serve as command and control servers and deliver JavaScript for fake updates based on the visitor's IP address and browser version.

The JavaScript file, which uses various obfuscation techniques, contains a function to create a PowerShell loader that silently extracts the BadSpace backdoor and executes it using rundll32.exe.


BadSpace uses a variety of security techniques to ensure it is not sandboxed, such as checking the number of folders in the Temp directory, checking the number of times DisplayName appears as a registry subkey, as well as the number of processors and memory status.

The backdoor then takes hold of the system by creating a scheduled job and replicating itself, and communicates with the command and control server, sending a cookie containing system information and an RC4 key used to encrypt traffic.

The malware supports seven different commands: obtaining system information, taking screenshots, executing commands on the command line, reading and writing files, and deleting a scheduled task used to remain permanently present in the system.