hackers-spreading-malware-through-images-taken-by-james-webb-space-telescope

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Hackers spreading malware through images taken by James Webb Space Telescope

National Aeronautics and Space Administration’s (NASA) James Webb Space Telescope is known for the stunning images from space that it has been delivering us since its launching. Given its superior technology, the telescope can capture the earliest galaxies created shortly after the Big Bang.

Reportedly, hackers are also aware of their popularity and have decided to monetize from it.

Beware of Images Containing Malware

Securonix security researchers have identified a new Golang-based malware campaign leveraging deep field images from the James Webb Space Telescope to deploy malware on infected devices.

Dubbed GO#WEBBFUSCATOR, this persistent campaign highlights the increasing preference of malware operators for the Go programming language, probably because of its cross-platform support that lets hackers target different operating systems through a common codebase.

Attack Details

In their report, researchers D. Iuzvyk, T. Peck, and O. Kolesnikov explained that this campaign involves sending phishing emails that contain a Microsoft Office attachment named Geos-Rates.docx. The file is downloaded as a template.

These emails are the attack chain’s entry point. When the attachment is opened, an obfuscated VBA macro is auto-executed if the recipient has enabled macros. When executed, the macro downloads an image file titled OxB36F8GEEC634.jpg.

Hackers spreading malware through images taken by James Webb Space Telescope

This appears to be the image of the First Deep Field sent from the telescope, but in reality, it is a Base64-encoded payload. The Windows 64-bit executable binary is 1.7MB in size. It can easily evade antimalware solutions and uses a technique called gobfuscation to utilize a Golang obfuscation tool, which is publicly available on GitHub.

According to researchers, crooks are using encrypted DNS queries/responses to communicate with the C2 server through which the malware can accept and run commands sent via the server through Windows Command Prompt.

“Using a legitimate image to build a Golang binary with Certutil is not very common. It’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR detection methodologies in mind,” researchers noted.

Securonix Threat Labs

  1. Attackers successfully hide Mac malware in ad images
  2. Fake Cloudflare DDoS protection popups distribute malware
  3. GoogleUserContent CDN Hosting Images Infected with Malware
  4. Hackers exploit Raspberry Pi device to hack NASA’s mission system
  5. New attack spreads LokiBot and NanoCore malware in ISO image files
  6. Hacker disrupts Emotet botnet operation by replacing payload with GIFs

Author

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related News

Nearly 500 million WhatsApp User Records Sold Online

Nearly 500 million WhatsApp User Records Sold Online

In what is becoming a rather common trend, a threat actor is claiming to sell 487 million WhatsApp users’ mobile…
How to Create ISO Files from Discs – 3 Best Ways

How to Create ISO Files from Discs – 3 Best Ways

An ISO file is a disk image of an optical disc. It is a single file that contains all the…
All You Need to Know About Emotet in 2022

All You Need to Know About Emotet in 2022

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it’s distributing malicious spam. Let’s dive…