A new malware campaign ‘GO#WEBBFUSCATOR’ has been spotted hidden inside the James Webb telescope
Threat researchers have identified a fresh malware campaign called “GO#WEBBFUSCATOR” that disseminates malware via phishing emails, malicious documents, and James Webb telescope images from space. The malware was created using the cross-platform programming language Golang, which is gaining popularity among cybercriminals due to its enhanced resistance to reverse engineering and analysis as well as its support for Windows, Linux, and Mac.
In the most recent campaign, the threat actor employs payloads that haven’t yet been labeled as hazardous by antivirus engines on the VirusTotal scanning platform, according to Securonix analysts.
The infection is started by a phishing email that contains the malicious file “Geos-Rates.docx,” which downloads a template file, as an attachment. This file contains an automatic VBS macro that runs if macros are enabled in the Office suite. Following the download from a remote server, certutil.exe is used to decode the JPG image “OxB36F8GEEC634.jpg,” which is then launched as an executable (“msdllupdate.exe”).
The The.JPG file, which was issued by NASA in July 2022, displays the galaxy cluster SMACS 0723 in an image viewer. The malicious 64-bit executable is a Base64-encoded payload that is concealed in the image as an included certificate but becomes visible when the image is opened with a text editor.
The malware leverages XOR to conceal the Golang assembly from analyzers, while the payload’s strings are further obfuscated using ROT25. Additionally, the assemblies employ case alteration to evade security tools’ signature-based detection.
The C2 could answer the malware by setting stretches of time between affiliation requests, changing the nslookup break, or passing requests on to execute through the Windows cmd.exe instrument.
During testing, Securonix saw the risk performers running conflicting count orders on its test structures, a standard first perception step.
The examiners noted that the spaces used for the mission were enrolled lately, the most settled one on May 29, 2022.