Security News > 2022 > August > Hackers Hide Malware in Stunning Images Taken by James Webb Space Telescope

A persistent Golang-based malware campaign dubbed GO#WEBBFUSCATOR has leveraged the deep field image taken from NASA's James Webb Space Telescope as a lure to deploy malicious payloads on infected systems.

Phishing emails containing a Microsoft Office attachment act as the entry point for the attack chain that, when opened, retrieves an obfuscated VBA macro, which, in turn, is auto-executed should the recipient enable macros.

The execution of the macro results in the download of an image file "OxB36F8GEEC634.jpg" that seemingly is an image of the First Deep Field captured by JWST but, when inspected using a text editor, is actually a Base64-encoded payload. "The deobfuscated [macro] code executes [a command] which will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary and then finally, execute it," Securonix researchers D. Iuzvyk, T. Peck, and O. Kolesnikov said.

Communication with the C2 server is facilitated through encrypted DNS queries and responses, enabling the malware to run commands sent by the server through the Windows Command Prompt.

Microsoft's decision to block macros by default across Office apps has led many an adversary to tweak their campaigns by switching to rogue LNK and ISO files for deploying malware.

"Using a legitimate image to build a Golang binary with Certutil is not very common," the researchers said, adding, "It's clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR detection methodologies in mind."

News URL

https://thehackernews.com/2022/08/hackers-hide-malware-in-stunning-images.html