Security News > 2022 > August > Hackers hide malware in James Webb telescope images
Threat analysts have spotted a new malware campaign dubbed 'GO#WEBBFUSCATOR' that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware.
The malware is written in Golang, a programming language that is gaining popularity among cybercriminals because it is cross-platform and offers increased resistance to reverse engineering and analysis.
The payload's strings are further obfuscated using ROT25, while the binary uses XOR to hide the Golang assemblies from analysts.
Based on what could be deduced via dynamic malware analysis, the executable achieves persistence by copying itself to '%%localappdata%%microsoftvault' and adding a new registry key.
Upon execution, the malware establishes a DNS connection to the command and control server and sends encrypted queries.
The C2 may respond to the malware by setting time intervals between connection requests, changing the nslookup timeout, or sending out commands to execute through the Windows cmd.
News URL
https://www.bleepingcomputer.com/news/security/hackers-hide-malware-in-james-webb-telescope-images/
Related news
- Russia-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware (source)
- Hackers Hide Malware in Images to Deploy VIP Keylogger and 0bj3ctivity Stealer (source)
- Hacker infects 18,000 "script kiddies" with fake malware builder (source)
- North Korean Hackers Deploy FERRET Malware via Fake Job Interviews on macOS (source)
- Hackers exploit SimpleHelp RMM flaws to deploy Sliver malware (source)
- North Korean hackers spotted using ClickFix tactic to deliver malware (source)
- North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware (source)
- Chinese hackers use custom malware to spy on US telecom networks (source)
- New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems (source)