Hackers Hide Malware in Stunning James Webb Space Telescope Images

A persistent Golang-based malware campaign dubbed GO#WEBBFUSCATOR exploited the deep-field image taken by NASA’s James Webb Space Telescope (JWST) as a decoy to deploy malicious payloads to infected systems.

The development, revealed by Securonixhighlights the growing adoption of Go among threat actors, given the programming language’s cross-platform support, effectively allowing operators to leverage a common codebase to target different operating systems.

Go binaries also have the added benefit of making reverse engineering much more difficult compared to malware written in other languages ​​like C++ or C#, not to mention prolonging scanning and detection attempts.

Phishing emails containing a Microsoft Office attachment act as an entry point to the attack chain which, when opened, retrieves a hidden VBA macro, which, in turn, is automatically executed if the recipient enable macros.

cyber security

Running the macro will download an image file “OxB36F8GEEC634.jpg” which appears to be an image of the First deep field captured by JWST but, when inspected using a text editor, it is actually a Base64 encoded payload.

“The Unmasked [macro] the code runs [a command] which will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary (msdllupdate.exe) and finally run it,” Securonix researchers D. Iuzvyk, T. Peck, and O. Kolesnikov said.

The binary, a 64-bit Windows executable with a size of 1.7MB, is not only equipped to fly under the radar of antimalware engines, but is also obfuscated through a technique called gobfuscation, which uses a Golang Obfuscation Tool publicly available on GitHub.

The gobfuscate library has already been documented as used by the actors behind Cha Chia remote access trojan used by the operators of the PYSA (aka Mespinoza) ransomware as part of their toolset, and command and control (C2) framework Sliver.

Communication with the C2 server is facilitated by encrypted DNS queries and responses, allowing the malware to execute commands sent by the server through the Windows command prompt (cmd.exe). C2 domains for the campaign would have been registered at the end of May 2022.

cyber security

Microsoft’s decision to block macros by default in Office applications has led many adversaries to change their campaigns to rogue LNK and ISO files to deploy malware. It remains to be seen whether GO#WEBBFUSCATOR actors will adopt a similar method of attack.

“Using a legitimate image to create a Golang binary with Certutil is not very common,” the researchers said, adding that “it is clear that the original author of the binary designed the payload with at both trivial counter-investigative and anti-EDR detection methodologies in mind.”

Previous Bring It On Syfy's 'Cheer or Die' Horror Film First Look Images
Next Rings of Power Review: All the Stunning Pictures and Tired Tales