free counter
Tech

Space nerds beware: James Webb images used to spread malware

Claudio Caridi – stock.adobe.com

Astronomy and space aficionados are increasingly being targeted by cyber criminals exploiting a few of the now-famous images captured by Nasas James Webb Space Telescope to distribute malware

Alex Scroxton

By

Published: 01 Sep 2022 12: 32

Cyber criminals are exploiting a few of the astounding new images captured by Nasas James Webb Space Telescope to indiscriminately spread malware with their targets, in accordance with intelligence shared by the threat research team at cloud security analytics specialist Securonix.

In a fresh report, Securonix analysts D Iuzvyk, T Peck and O Kolesnikov said that they had found a distinctive sample of a persistent Golang-based campaign, that they are tracking as Go#Webfuscator.

As previously explored by Computer Weekly, Golang- or Go-based malwares are ever more popular among cyber criminals, specifically because their binaries are harder to analyse and reverse engineer in comparison with C++ or C#, and as the language is more flexible when it comes to cross-platform support, this means they are able to target more systems simultaneously without having to be fiddled with. Advanced persistent threat (APT) groups such as for example Mustang Panda are fans of it therefore.

Go#Webfuscator itself is spread via phishing emails containing a Microsoft Office attachment which contains, saved in its metadata, an external reference that pulls a malicious template file containing a Visual Basic script to initiate the initial stage of code execution, if the victim is unfortunate enough make it possible for macros.

After deobfuscating the Visual Basic code, the Securonix team found it executed a command to download a .jpg image file and used the certutil.exe command line program to decode it right into a binary and execute it.

The .jpg involved may be the now-famous Webbs First Deep Field image, taken by the James Webb Space Telescope, which ultimately shows the SMACS 0723 cluster of galaxies in extraordinary detail, including a few of the faintest & most distant objects ever seen in the infrared spectrum.

In cases like this, however, it includes malicious Base64 code disguised being an included certificate that, by Securonixs disclosure, had not been detected by any antivirus software. When decrypted, therefore is saved right into a built Windows executable file, the Golang binary in other words, the malware itself.

Go#Webfuscator is really a remote access trojan, or RAT, that calls back again to its command and control (C2) infrastructure and serves to determine an encrypted channel for control of the victims system, or even to deliver secondary payloads to exfiltrate sensitive data, that could include passwords, account details and financial information, making its victims susceptible to fraud or identity theft further down the road.

Overall, TTPs [tactics, techniques and procedures] observed with Go#Webfuscator through the entire attack chain are very interesting. Utilizing a legitimate image to create a Golang binary with certutil isn’t very common inside our experience or typical then one we have been tracking closely, the team wrote within their disclosure.

Consumers should be cautious with any unsolicited emails that utilize the James Webb Space Telescope as their topic and really should avoid any Microsoft Office attachments which contain a .jpg image, as that is used to automatically deliver the malicious payload
Ray Walsh, ProPrivacy

Its clear that the initial writer of the binary designed the payload with both some trivial counter-forensics and anti-EDR [endpoint detection and response] detection methodologies at heart.

Ray Walsh, an electronic privacy expert at ProPrivacy, said: Consumers should be cautious with any unsolicited emails that utilize the James Webb Space Telescope as their topic and really should avoid any Microsoft Office attachments which contain a .jpg image, as that is used to automatically deliver the malicious payload.

Individuals are reminded these forms of attacks depend on Office being set to automatically execute macros. We advise that all Office users change their macro settings to notify them before a macro is executed, as this can help prevent malware from self-installing.

For security professionals, further information on the campaign, including indicators of compromise (IoCs), Mitre ATT&CK techniques and Yara rules, can be found from Securonix.

Read more on Hackers and cybercrime prevention

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker