Cybercriminals are exploiting some of the stunning new images captured by Nasa James Webb Space Telescope to indiscriminately spread malware to their targets, according to intelligence shared by the cloud security analytics specialist’s threat research team Securonix.
In a new report, Securonix analysts D Iuzvyk, T Peck and O Kolesnikov said they found a unique sample of a persistent campaign based on Golang, which they track as Go#Webfuscator.
As previously explored by Computer Weeklymalware based on Golang or Go is increasingly popular among cybercriminals, particularly because their binaries are harder to analyze and reverse engineer than C++ or C#, and because the language is more flexible in terms of cross-platform support , meaning they can target multiple systems at once without needing to be manipulated. Advanced Persistent Threat (APT) groups such as panda mustang are fans of it for these reasons.
Go#Webfuscator itself spreads via phishing emails containing a Microsoft Office attachment that contains, hidden in its metadata, an external reference that retrieves a malicious template file containing a Visual Basic script to initiate the first step of code execution, if the victim is unfortunate enough to enable macros.
After deobfuscating the Visual Basic code, the Securonix team discovered that it was running a command to download a .jpg image file and using the certutil.exe command line program to decode it into a binary and then run it.
The .jpg in question is the now famous Webb’s first deep field image, taken by the James Webb Space Telescope, which shows galaxy cluster SMACS 0723 in extraordinary detail, including some of the faintest and most distant objects ever observed in the infrared spectrum.
In this case, however, it contains malicious Base64 code disguised as an embedded certificate which, as of the date of Securonix’s disclosure, has not been detected by any anti-virus software. Once decrypted, this in turn is saved in an embedded Windows executable file, the Golang binary, i.e. the malware itself.
Go#Webfuscator is a Remote Access Trojan, or RAT, that recalls its command-and-control (C2) infrastructure and is used to establish an encrypted channel for control of the victim’s system, or to deliver payloads secondary useful to exfiltrate sensitive data, which could include passwords, account details and financial information, making its victims vulnerable to fraud or identity theft later on.
“Overall, the TTPs [tactics, techniques and procedures] seen with Go#Webfuscator throughout the attack chain are quite interesting. Using a legitimate image to create a Golang binary with certutil is not very common in our experience or typical and something we are monitoring closely,” the team wrote in its disclosure.
“Consumers should beware of unsolicited emails that use the James Webb Space Telescope as the subject and should avoid any Microsoft Office attachments containing a .jpg image, as this is used to automatically deliver the malicious payload”
Ray Walsh, ProPrivacy
“It is clear that the original author of the binary designed the payload with both trivial counter-crime and anti-EDR [endpoint detection and response] detection methodologies in mind.
Ray Walsh, digital privacy expert at ProPrivacysaid: “Consumers should beware of unsolicited emails that use the James Webb Space Telescope as subject and should avoid any Microsoft Office attachments containing a .jpg image, as this is used to automatically deliver the payload malicious.
“Consumers are reminded that these types of attacks rely on configuring Office to automatically run macros. We recommend that all Office users change their macro settings to warn them before running a macro, as this will help prevent malware from installing itself.
For security professionals, more details on the campaign, including Indicators of Compromise (IoC), Miter ATT&CK techniques and Yara rules, are available from Securonix.