Malware Disguised in James Webb Telescope Photos
Researchers at Securonix have discovered an unusual malware campaign involving a threat called GO#WEBBFUSCATOR, which is written in Go. Hackers are spreading this malware through phishing emails, malicious documents, and images taken by the James Webb Space Telescope.
How the Infection Works
The infection typically starts with a phishing email containing a malicious document named Geos-Rates.docx. When opened, this document downloads a template file that contains an obfuscated VBS macro. If macros are enabled in Microsoft Office, the macro runs automatically.
Next, the macro downloads a JPG image (OxB36F8GEEC634.jpg) from a remote server controlled by the attackers (xmlschemeformat[.]com). The image is then decoded into an executable file (msdllupdate.exe) using certutil.exe, and the file is launched on the system.
Malware Hidden in Space Images
Interestingly, if you simply open the malicious JPG file, youβll see the SMACS 0723 galaxy cluster, an image captured by the James Webb Space Telescope and released by NASA in July 2022. However, if you open the file in a text editor, youβll find extra content: a Base64-encoded payload that ultimately becomes the malicious executable.
Persistence and Communication
Dynamic analysis of the malware shows that the executable ensures persistence by copying itself to %%localappdata%%\microsoft\vault\ and creating a new registry entry. Once running, the malware establishes a DNS connection with its command-and-control (C2) server and sends encrypted requests.
βIn the case of GO#WEBBFUSCATOR, communication with the C2 server is carried out using TXT-DNS queries and nslookup requests. All data is encoded with Base64,β the researchers explain.
The C2 server can respond by setting time intervals between connection requests, changing the nslookup timeout, or sending commands to be executed via cmd.exe. Securonix experts observed attackers running arbitrary enumeration commands on test systems, indicating initial reconnaissance on infected machines.
Recent Domain Registrations
Researchers note that the domains used in this campaign were registered recently, with the oldest dating back to May 29, 2022.