Malware hidden behind James Webb telescope images

Malware hidden behind James Webb telescope images

Advertisement

Researchers have spotted a malware distribution campaign called Go#Webbfuscator” that relies on images from the James Webb Space Telescope.

Opportunism is the key word for cybercriminals. Riding the wave of interest in the images revealed by the James Webb space telescope, they imagined a malware distribution campaign via these photos. 

This is the finding of experts from the publisher Securonix who found an operation called “Go#Webbfuscator” based on phishing, malicious documents and images from the James Webb telescope to distribute malware.

The latter is written in Golang, an increasingly popular programming language among cybercriminals because it is cross-platform (Windows, Linux, Mac) and offers significant resistance to analysis and reverse engineering. In the attack discovered by Securonix researchers, the infection begins with a phishing email containing a malicious attachment, "Geos-Rate.docx". 

Securonix researchers have found malware hidden in an image from the James Webb Space Telescope.  (Photo credit: Securonix)
Securonix researchers have found malware hidden in an image from the James Webb Space Telescope. (Photo credit: Securonix)

It includes a hidden external reference in the document metadata that downloads a malicious template.

A trapped image

The latter includes an obfuscated VBS macro that runs automatically if macros are enabled in the Office suite. The code then downloads an image in jpeg format from a remote server. Running it in a viewer, the file shows galaxy cluster SMACS 0723, released by NASA in July 2022. If opened with a text editor, the image contains additional content disguised as a certificate, which is a Base64 encoded payload.

Upon execution, the malware establishes a DNS connection with the command and control (C2) server and sends encrypted queries. “In the case of GO#WEBBFUSCATOR, communication with the C2 server is implemented using `TXT-DNS` requests using `nslookup` requests to the attacker-controlled name server. 

All information is encoded using Base64,” reads the article from Securonix specialists. The researchers note that the domains used for the campaign were registered recently, with the oldest dating back to May 29, 2022. They provided a set of Indicators of Compromise (IoCs).



📨 Leave us a comment :
#
Advertisemen