Not so long ago, an image released by NASA made the rounds on the net. It was one of the first images taken by the James Webb Telescope. She was described as ” the sharpest infrared image of the distant universe to date “. But last I heard, the photo was allegedly used by malicious actors for a malware campaign.
Bad actors allegedly hid malicious code in James Webb’s First Deep Field. It was the security analysis platform called Securonix that identified this malware campaign using the detailed image of galaxies. The company later called it: “GO#WEBBFUSCATOR”.
How does the attack in question work?
It all starts with an email. The latter is actually a phishing email that contains a Microsoft Office attachment. In the document metadata is a URL that downloads a file with a script. It runs provided certain Word macros are enabled.
Subsequently, he downloads a copy of James Webb’s famous Deep Field photo, the one that contains malicious code and pretends to be a certificate. The problem is that, according to the campaign report made by Securonix, none of the antivirus programs have the ability to detect the malicious code contained in the image.
Reasons for using James Webb’s photo
Augusto Barros, vice president of Securonix, told Popular Science that there are several reasons why bad actors choose to use the popular image of James Webb. One of these reasons is that the images published by NASA are images that have a high resolution and are therefore large.
The second reason is that this photo has been widely shared online. So even if an anti-malware program flags it, reviewers can ignore it. Separately, Securonix says the malware campaign uses Google’s increasingly popular open-source programming language, Golang. This is because it is more difficult to parse and reverse engineer. The company added that the best way to avoid falling victim to this attack is to not download attachments from untrusted sources.