A newly discovered hacking campaign is exploiting an image from the James Webb Telescope to infect targets with malware.
Detailed today by researchers at Securonix Inc. and dubbed “GO#WEBBFUSCATOR,” the campaign leverages a deep field image taken from the telescope and obfuscated Golang programming language payloads to infect a potential victim.
The infection vector starts with a phishing email containing a Microsoft Office attachment containing an external reference hidden inside the document’s metadata which downloads a malicious template file. When the document is opened, the malicious template file is downloaded and saved on the system, initiating the first stage of code execution for the attack.
Eventually, the script downloads a JPEG image that shows the James Webb Telescope deep field image. The image contains malicious Base64 code disguised as an included certificate, which is then decrypted and saved into a built-in Windows executable called “msdllupdate.exe.”
The generated file is a Windows 64-bit executable around 1.7 MB in size and employs several obfuscation techniques to hide from antivirus software and to make analysis difficult. “At the time of publication, this particular file is undetected by all antivirus vendors,” the researchers note.
“It’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-endpoint detection and response detection methodologies in mind,” the researchers added.
The researchers conclude that the methodology used in the attack chain is interesting. While the use of Golang is not uncommon, its combination, in this case, with the Certuitil command-line program is not very common.
“This campaign once again proposes the risk inherent in the concept of digital trust and its implications in the field of security,” Paolo Passeri, principal sales engineer at cybersecurity software company Netskope Inc., told SiliconANGLE.
Referencing the growth of remote work, Passeri noted that “users now place more reliance on digital interactions than on human ones, which lowers the level of guard against any content coming from the internet and are no longer used to thoroughly check the origin of the information.”