Jump to content
  • Hackers hide malware in James Webb telescope images

    Karlston

    • 410 views
    • 3 minutes
     Share


    • 410 views
    • 3 minutes

    Threat analysts have spotted a new malware campaign dubbed ‘GO#WEBBFUSCATOR’ that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware.

     

    The malware is written in Golang, a programming language that is gaining popularity among cybercriminals because it is cross-platform (Windows, Linux, Mac) and offers increased resistance to reverse engineering and analysis.

     

    In the recent campaign discovered by researchers at Securonix, the threat actor drops payloads that are currently not marked as malicious by antivirus engines on the VirusTotal scanning platform.

    Infection chain

    The infection starts with a phishing email with an attached malicious document, “Geos-Rates.docx”, which downloads a template file.

     

    That file contains an obfuscated VBS macro that auto-executes if macros are enabled in the Office suite. The code then downloads a JPG image (“OxB36F8GEEC634.jpg”) from a remote resource (“xmlschemeformat[.]com”), decodes it into an executable (“msdllupdate.exe”) using certutil.exe, and launches it.

     

    vbs.jpg

    Obfuscated VBS macro (left) and decoded command to download the JPG file (right) (Securonix)

     

    In an image viewer, the .JPG shows the galaxy cluster SMACS 0723, published by NASA in July 2022.

     

    However, if opened with a text editor, the image reveals additional content disguised as an included certificate, which is a Base64-encoded payload that turns into the malicious 64-bit executable.

     

    image-code.jpg

    Same file on image viewer (left) and on text editor (right) (Securonix)

     

    The payload’s strings are further obfuscated using ROT25, while the binary uses XOR to hide the Golang assemblies from analysts. On top of that, the assemblies use case alteration to avoid signature-based detection by security tools.

    Malware functions

    Based on what could be deduced via dynamic malware analysis, the executable achieves persistence by copying itself to '%%localappdata%%\microsoft\vault\' and adding a new registry key.

     

    Upon execution, the malware establishes a DNS connection to the command and control (C2) server and sends encrypted queries.

     

    “The encrypted messages are read in and unencrypted on the C2 server, thus revealing its original contents,” explains Securonix in the report.

     

    “In the case with GO#WEBBFUSCATOR, communication with the C2 server is implemented using `TXT-DNS` requests using `nslookup` requests to the attacker-controlled name server. All information is encoded using Base64.”

     

    The C2 may respond to the malware by setting time intervals between connection requests, changing the nslookup timeout, or sending out commands to execute through the Windows cmd.exe tool.

     

    During testing, Securonix observed the threat actors running arbitrary enumeration commands on its test systems, a standard first reconnaissance step.

     

    The researchers note that the domains used for the campaign were registered recently, the oldest one on May 29, 2022.

     

    Securonix has provided a set of indicators of compromise (IoCs) that includes both network and host-based indicators.

     

     

    Hackers hide malware in James Webb telescope images

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...