News/Tech News

JWST images reveal malware hidden by hackers

Published on Sep 05, 2022

Malware campaign GO#WEBBFUSCATOR leverages NASA’s James Webb Space Telescope (JWST) deep field image to deploy malicious payloads on infected systems.

Given the programming language’s cross-platform support, threat actors are increasingly leveraging Go, according to Securonix, as they are able to leverage a common codebase to target different operating systems.

Additionally, Go binaries can make reverse engineering a lot more difficult as compared to malware written in other languages such as C++ or C#, not to mention prolonging analysis and detection times.

When opened, phishing emails contain a Microsoft Office attachment that retrieves an obfuscated VBA macro that is automatically executed if the recipient allows macros to be executed.

When the macro is executed, an image file named “OxB36F8GEEC634.jpg” is downloaded, which appears to be the First Deep Field captured by JWST, but is actually a Base64-encoded payload when examined in a text editor.

Deobfuscated [macro] code executes [a command] which downloads a file named OxB36F8GEEC634.jpg, decodes it into a binary (msdllupdate.exe), and then executes it,” Securonix researchers D. Peck, T. Iuzvyk, and O. Kolesnikov explained.

This binary, a 64-bit Windows executable of 1.7MB, is not only designed to evade antimalware engines, but it is also obscured by using a GitHub-available Golang obfuscation tool.

Gobfuscate was previously documented as being used by the actors behind ChaChi, a remote access trojan employed by the operators of the PYSA (aka Mespinoza) ransomware, and the Sliver command-and-control framework.

Communication with the C2 server is facilitated through encrypted DNS queries and responses, enabling the malware to run commands sent by the server through the Windows Command Prompt (cmd.exe). The C2 domains for the campaign are said to have been registered in late May 2022.

Several adversaries have tweaked their campaigns by switching to rogue LNK and ISO files for deploying malware due to Microsoft’s decision to block macros by default across Office apps. Whether GO#WEBBFUSCATOR will adopt a similar attack method remains to be seen.

Using a legitimate image to build a Golang binary with Certutil is not very common, the researchers said, adding, “it is clear that the original author of the binary intended the payload to be counter-forensically defensible and anti-EDR detection resistant.”

Tech News

AWS credentials

Over 1,800 Android and iOS apps leak AWS credentials

A total of 1,859 apps across Android and iOS contain hard-coded Amazon Web Services (AWS) credentials, posing a major security threat…

Source Bug Bounty

Supply Chain Attacks Targeted by New Open Source Bug Bounty

A new bug bounty program was introduced by Google on Monday, offering payouts ranging from £86.32 to £27050.88 (a reference to element or leaf)…

Our Latest Blog

Beyond the Basics Advanced Techniques and Tools for Ethical Hacking Professionals

Beyond the Basics: Advanced Techniques and Tools for Ethical Hacking Professionals

Are you an ethical hacking professional looking to take your skills to the next level?...
Read More
Mastering Full Stack Python Development with Django A Comprehensive Guide

Mastering Full Stack Python Development with Django: A Comprehensive Guide

Python is a powerful programming language that has taken the world of web development by...
Read More
Mastering Machine Learning A Beginner's Guide to Python

Mastering Machine Learning: A Beginner’s Guide to Python

Welcome to the world of machine learning! With the ever-increasing demand for artificial intelligence and...
Read More

Follow Us

Resources

Presentations
Browse LSET presentations to understand interesting…

Explore Now


eBooks
Get complete guides to empower yourself academically…

Explore Now


Infographics
Learn about information technology and business…

Explore Now