Backdoor BadSpace delivered by high-ranking infected websites


Imagine visiting your favorite website with the same address that you always use and it tells you that your browser needs an update. After downloading and executing the update, there's an unwelcome surprise: the BadSpace backdoor. What is this new threat capable of, and how is it eerily similar to a warm cookie?

The backstory

On the 19th of May, the threat intelligence analyst Gi7w0rm drew the attention of the cybersecurity community to a new backdoor “BadSpace” that was discovered by the researcher @kevross33  several days earlier. We outline the infection chain and give an overview to the functionality of the backdoor.  

Vectors in the infection chain

Through collaborative research with the cybersecurity community, we identified that the threat actor employs a multi-stage attack chain involving an infected website, a command and control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system.

Threat Intelligence Analyst Gi7w0rm shared with us that BadSpace is delivered via infected websites. The reported scenarios slightly differ, but the basics are the same. The code from the infected website sets a cookie to track if the user has visited the page before. If it’s the user's first visit, it constructs a URL with query parameters including information about the user's device type, IP address, referrer, user agent, domain, and location. After that, it sends a GET request to the constructed URL. The response with a payload from this URL overwrites the webpage that initially was called by a user, unless it contains an error message indicating a page load error.

Infection chain (click to enlarge)

There is a tendency to infect WordPress websites and to inject the malicious code to the JavaScript libraries like jQuery[1] or in the index page itself[2]

We were able to acquire several JScript files that drop and run the BadSpace backdoor. Some of them use extension spoofing like “.pdf.js”[3][4].

Gi7w0rm also informed us that some of the websites show a window with a fake Google Chrome update and after downloading, it drops the malicious backdoor or the JScript onto the system. 

The domains that serve as C2 servers in the web attack[6][7] were mentioned by Group-IB Threat intelligence. They associate them to the threat actor SocGholish. According to a report by Proofpoint, it is typical for SocGholish to use fake updates and JS files. The described attack has a lot of similarities in the way how the backdoor was delivered. 


The JScript file[3] employs different obfuscation techniques. The de-obfuscation starts with three functions and a strings array. For example, the first function shifts the given array 143,858 times (0x231f2), and another function after subtracting 383 (0x17f) points to the first element of a new array. The shift and subtract values are not fixed and are unique for each sample. This new array will replace obfuscated names of the variables and functions. However, for additional complexity, not all variables will be renamed after the execution of the mentioned functions. The rest of the variables are declared within the code. We suspect that the threat actor used service  

The third function at the end of the file is obfuscated with the help of JavaScript Compressor by Dean Edwards. The result of this function will finish the construction of the PowerShell downloader.  

The PowerShell code silently downloads the BadSpace backdoor[5] and after ten seconds it executes the downloaded file using rundll32.exe. 


BadSpace string and API obfuscation

The present BadSpace sample[5] is a PE32+ DLL that is not packed but obfuscated. 

The strings, Windows API DLL names, and Windows API function names that it uses are encrypted with RC4. Each string blob has the following buildup: four bytes length of encrypted data, followed by a four bytes RC4 key, followed by the encrypted data.

APIs are resolved dynamically via LoadLibraryW and GetProcAddress using the decrypted function names from the strings table. 

We created an IDA Python script to automatically decode strings and APIs in the IDA database. The script searches potential decryption function calls in the Ctree of the decompiler, decrypts the argument, changes the string reference label to the decrypted string, and adds comments. 

While discussing the case with other researchers, Mohamed Ashraf provided a standalone Python script that also decrypts BadSpace strings. It works independently from IDA. 

BadSpace anti-sandbox and persistence

BadSpace[5] employs several anti-sandbox heuristics.  

  •  It counts the number of folders in the %TEMP% directory and the %APPDATA% and makes sure that these are above a certain threshold.

  • It queries the registry and counts how often DisplayName appears as a subkey of SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.  

  • It checks the number of processors and the global memory status.  

The thresholds for all anti-sandbox heuristics are slightly different for each sample. 

After the anti-sandbox checks it first creates the mutex “32ac0087-89d0-4ea5-89af-26a8d08e87ce"; this UUID value is different for each BadSpace sample.

Then it persists via scheduled task creation and self-copying. The persistence function accounts for both, EXE and DLL files. Because the present sample is a DLL, the scheduled task uses the command: 


Rundll32.exe %ALLUSERSPROFILE%\RtlUpd\RtlUpd.dll,Start /p 


If that fails, it tries a different folder: 


Rundll32.exe %APPDATA%\RtlUpd\RtlUpd.dll,Start /p 


The arguments Start /p make sure that the persistence function is not executed again.

C2 communication

The initial request to the server sends a cookie, which contains encrypted information of the infected system. This cookie is most likely the reason for the malware’s alias name WarmCookie. The following data is sent to the server: 

  • computer name 

  • DNS domain assigned to the local computer 

  • crc32 hash of the Volume Serial Number for C: xored with the crc32 hash of 32ac0087-89d0-4ea5-89af-26a8d08e87ce (this UUID is different for each sample and it is the same value that is being used for the mutex) 

  • OS version info 

  • username 

  • RC4 key 

The key is used to encrypt C2 communication. It is a hardcoded RC4 key that is different for every sample. In the present sample the key is “24de21a8dc08434c”. 

The user agent that the backdoor uses for C2 communication is responsible for the name BadSpace because it has additional spaces that are not present in Firefox user agents: 

Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705) 

BadSpace was the prevalent malware name in discussions with other researchers and on whereas WarmCookie only appeared in one of the detection names on VirusTotal. Hence, we decided to use the name BadSpace. 

Command loop for the C2 communication (click to enlarge)

There are seven different commands that the server may issue towards the client. The command is determined by a number. 

  • CommandMeaning
    0x1query ProcessorNameString in HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor
    0x2take a screenshot
    0x3query DisplayName, DisplayVersion and InstallDate in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall 
    0x4execute cmd command 
    0x5write file 
    0x6read file 
    0xAdelete scheduled task persistence

Indicators of compromise

The remaining section describes the SHA256 hashes, IPs and URLs that we analysed for this article. The square brackets [X] are references to the samples or URLs in the text.

Java Script (Web infection)

[1] 2b4d7ed8d12d34cbf5d57811ce32f9072845f5274a2934221dd53421c7b8762b

[2] f3fed82131853a35ebb0060cb364c89f42f55e357099289ca22f7af651ee2c48


JScript droppers 

[3] c64cb9e0740c17b2561eed963a4d9cf452e84f462d5004ddbd0e0c021a8fdabc 

[4] 9786569f7c5e5183f98986b78b8e6d7afcad78329c9e61fb881d3d0960bc6a15 





[5] 6a195e6111c9a4b8c874d51937b53cd5b4b78efc32f7bb255012d05087586d8f 
















[6] uhsee[.]com 

[7] kongtuke[.]com