The spatial images of james webb telescope are being used by hackers to hide and distribute malware.
As reported by Bleeping Computera new malware campaign titled ‘GO#WEBBFUSCATOR’ has been discovered, also involving phishing emails and malicious documents.
A phishing email named “Geos-Rates.docx” is initially sent to victims, who would then unknowingly download a template file if they fall for it.
If the target system’s Office suite has the macros element enabled, the file mentioned above automatically runs a VBS macro. This will allow a JPG image to be downloaded remotely, after which it is decoded into an executable format and finally uploaded to the machine.
If the file itself is opened with an image viewer application, the image shows the galaxy cluster SMACS 0723, captured by the recently launched James Webb Telescope. That said, opening the same file with a text editor reveals how the image disguises a payload that turns into a malware-based 64-bit executable.
After it has been successfully launched, the malware allows setting up a DNS connection to the command and control (C2) server. Hackers can execute commands through the Windows cmd.exe tool.
To help avoid detection, threat actors incorporated the use of XOR for the binary in order to hide Golang (a programming language) assemblies from analysts. These assemblies also use tampering with the box so it won’t be picked up by security tools.
As for Golang, Bleeping Computer highlights how it is becoming increasingly popular with cybercriminals due to its cross-platform capabilities (Windows, Linux, and Mac). And as evidenced above, it is more difficult to detect.
Securonix researchers have discovered that the domains used for the malware campaign were registered as recently as May 29, 2022. The payloads in question have not yet been flagged as malicious by antivirus scanning systems via VirusTotal.
It’s been a busy year for hackers looking to deliver malware. Apart from regular tried and tested methods to spread malicious files and the like, they are even delaying the release of their dangerous codes once it has found its way into PCs for up to a month.
Meanwhile, fake DDoS pages are being embedded on WordPress sites to spread malware as well.