Security researchers have uncovered a new campaign that distributes malware using phishing emails, malicious documents and an image of Space from the James Webb Telescope. This campaign is dubbed “GO#WEBBFUSCATOR”.
As a reminder, James Webb is a space telescope put into orbit by NASA and which has been delighting us for several weeks with incredible images of the galaxy, planets, etc… Obviously, these magnificent photos are seen millions of times in the around the world, which obviously gave ideas to cybercriminals.
Discovered by Securonix security researchers, this new malware is coded in Golang, which is highly appreciated by hackers because it facilitates the portability of an application from one system to another, be it Windows, Linux or macOS. According to them, antivirus scanning engines do not currently detect this malware.
How is the attack going? First, it starts with a phishing email that contains an attachment named “Geos-Rates.docx”. This file contains an obfuscated VBS macro that will run automatically if macros are enabled in the Office suite (which may not be the case, depending on your version). The macro code downloads a JPG image named “OxB36F8GEEC634.jpg” from a remote resource (“xmlschemeformat[.]com“). Then, this image is decoded with certutil.exe and it gives rise to the executable “msdllupdate.exe” which is executed immediately.
If we open this image with the Windows viewer, we see thatit is simply the famous photo of the galaxy SMACS 0723, taken last July by the James Webb Telescope. However, if we open this image with a text editor, things are different: the image includes a certificate, as well as the code of the malicious executable. This malicious strain seeks to become persistent on the machine by copying itself to “%%localappdata%%microsoftvault” and creating registry keys.
Malware communicates with hacker-driven C2 servers through BASE-64 encoded TXT DNS queries. Of course, these requests are used to trace information and hackers can execute commands remotely, according to Securonix researchers.
The full report is available at this address: Securonix – Report
Source