Skip to content

BadSpace backdoor compromises websites to infiltrate systems

  • by
  • 4 min read

A novel backdoor malware, dubbed BadSpace, has emerged as a significant threat to cybersecurity, operating through a multi-stage infection chain involving compromised websites, fake browser updates, and obfuscated scripts.

Moreover, BadSpace employs advanced evasion techniques, including dynamic API resolution and anti-sandbox measures, to infiltrate systems, establish persistence, and communicate with command and control servers, posing a formidable challenge for security defences.

Kevross33, a threat intelligence analyst, discovered the backdoor on May 19, 2024. After a few days, another researcher, Gi7w0rm, drew more attention from the cybersecurity community to the malware.

BadSpace’s infection process is a multi-stage attack that leverages several vectors to infiltrate systems. The attack begins with infected websites, which deliver the initial payload. When a user visits these compromised sites, a cookie is set to track whether it’s their first visit.

BadSpace attack chain explained. | Source: G Data Software

If it is, the site constructs a URL containing details about the user’s device, IP address, and other metadata. A GET request is sent to this URL, and the response, which contains the payload, overwrites the original webpage.

“There is a tendency to infect WordPress websites and to inject the malicious code to the JavaScript libraries like jQuery or in the index page itself,” said researchers. We were able to acquire several JScript files that drop and run the BadSpace backdoor. Some of them use extension spoofing like “.pdf.js.”

Additionally, some sites display a fake Google Chrome update window. When users download this fake update, Malware or a JScript downloader is deployed to their systems.

The JScript downloader in this attack employs advanced obfuscation techniques to evade detection. Initial analysis revealed that the script starts with three obfuscation functions and a string array. These functions manipulate arrays and shift values to hide the true nature of the variables and functions.

JScript obfuscation mechanism. | Source: G Data Software

“The shift and subtract values are not fixed and are unique for each sample. This new array will replace obfuscated names of the variables and functions. However, not all variables will be renamed for additional complexity after executing the mentioned functions,” researchers note.

The obfuscation is further enhanced using the JavaScript Compressor by Dean Edwards, which culminates in a PowerShell downloader.

Once executed, the PowerShell script silently downloads the BadSpace backdoor and runs it using rundll32.exe. This meticulous process ensures that the malware remains hidden during its initial stages of deployment.

The BadSpace backdoor is a PE32+ DLL that, while not packed, is heavily obfuscated. Its strings and API calls are encrypted using RC4, making analysis challenging. Each string blob in the malware consists of encrypted data, an RC4 key, and the encrypted string itself. These strings are decrypted at runtime to resolve API calls using LoadLibraryW and GetProcAddress.

“We created an IDA Python script to decode strings and APIs in the IDA database automatically. We modified the Revil decryption script by OALabs as a basis for BadSpace. The script searches string blob references backwards from the decryption function calls, decrypts them, changes the string reference label to the decrypted string, and adds comments in the disassembler and decompiler,” explained researchers.

BadSpace employs several anti-sandbox techniques to avoid detection by security tools. It checks the number of folders in the %TEMP% and %APPDATA% directories, the frequency of DisplayName entries in the Windows registry, the number of processors, and the system’s global memory status. Each sample has unique threshold values for these checks.

Anti-sandbox check. | Source: G Data Software

Once the anti-sandbox checks are complete, BadSpace creates a unique mutex and establishes persistence through scheduled tasks. Depending on the environment, it may copy itself to different folders and use commands to remain active even after reboot.

The communication between the infected system and the command and control (C2) server is encrypted using RC4, with a hardcoded key unique to each sample. The C2 server can issue various commands to the infected system, including querying system information, taking screenshots, executing commands, and manipulating files. These commands enable the threat actor to control the compromised system and exfiltrate valuable data.

In the News: WarmCookie phishing campaign found targeting job seekers

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: