Hackers spreading malware through images taken by James Webb Space Telescope

National Aeronautics and Space Administration’s (NASA) James Webb Space Telescope is known for the stunning images from space that it has been delivering us since its launching. Given its superior technology, the telescope can capture the earliest galaxies created shortly after the Big Bang.

Reportedly, hackers are also aware of their popularity and have decided to monetize from it.

Beware of Images Containing Malware

Securonix security researchers have identified a new Golang-based malware campaign leveraging deep field images from the James Webb Space Telescope to deploy malware on infected devices.

Dubbed GO#WEBBFUSCATOR, this persistent campaign highlights the increasing preference of malware operators for the Go programming language, probably because of its cross-platform support that lets hackers target different operating systems through a common codebase.

Attack Details

In their report, researchers D. Iuzvyk, T. Peck, and O. Kolesnikov explained that this campaign involves sending phishing emails that contain a Microsoft Office attachment named Geos-Rates.docx. The file is downloaded as a template.

These emails are the attack chain’s entry point. When the attachment is opened, an obfuscated VBA macro is auto-executed if the recipient has enabled macros. When executed, the macro downloads an image file titled OxB36F8GEEC634.jpg.

This appears to be the image of the First Deep Field sent from the telescope, but in reality, it is a Base64-encoded payload. The Windows 64-bit executable binary is 1.7MB in size. It can easily evade antimalware solutions and uses a technique called gobfuscation to utilize a Golang obfuscation tool, which is publicly available on GitHub.

According to researchers, crooks are using encrypted DNS queries/responses to communicate with the C2 server through which the malware can accept and run commands sent via the server through Windows Command Prompt.

“Using a legitimate image to build a Golang binary with Certutil is not very common. It’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR detection methodologies in mind,” researchers noted.

Securonix Threat Labs

Related News

1. Attackers successfully hide Mac malware in ad images
2. Fake Cloudflare DDoS protection popups distribute malware
3. GoogleUserContent CDN Hosting Images Infected with Malware
4. Hackers exploit Raspberry Pi device to hack NASA’s mission system
5. New attack spreads LokiBot and NanoCore malware in ISO image files
6. Hacker disrupts Emotet botnet operation by replacing payload with GIFs