Pierluigi Paganini August 31, 2022

A malware campaign tracked as GO#WEBBFUSCATOR used an image taken from NASA’s James Webb Space Telescope (JWST) as a lure.

Securonix Threat researchers uncovered a persistent Golang-based malware campaign tracked as GO#WEBBFUSCATOR that leveraged the deep field image taken from the James Webb telescope.

The phishing emails contain a Microsoft Office attachment that includes an external reference in its metadata which downloads a malicious template file.

Upon opening the document, a malicious template file is downloaded and saved on the system. The template file contains a VB script that will start the infection process.

Once the macro is executed, an image file “OxB36F8GEEC634.jpg” that appears as an image of the First Deep Field captured by JWST is downloaded. The experts discovered the image includes a Base64-encoded payload by inspecting the file with a text editor.

“The image file is quite interesting. It executes as a standard .jpg image as seen in the image below. However, things get interesting when inspected with a text editor.” reads the analysis published by the experts.

“The image contains malicious Base64 code disguised as an included certificate. At the time of publication, this particular file is undetected by all antivirus vendors according to VirusTotal”

The Base64 encoded payload, once decrypted, is a Windows 64-bit executable (1.7MB) called “msdllupdate.exe.”

The binary employs multiple obfuscation techniques to avoid detection and make analysis hard.

The binary encoded strings using ROT25 and is compiled using the Go programming language and obfuscated using Gobfuscation.

Once executed, the malware makes unique DNS connections, experts determined that the binary was leveraging a DNS data exfiltration technique by sending unique DNS queries to a target C2 DNS server.

“This technique works by sending an encrypted string appended to the DNS query set as a subdomain. We have observed similar behavior with DNS exfiltration tools such as DNSCAT2.” continues the report.

The C2 domains employed in this campaign have been registered in late May 2022, the researchers shared Indicators of Compromise (IoCs) along with MITRE ATT&CK techniques.

“Overall, TTPs observed with GO#WEBBFUSCATOR during the entire attack chain are quite interesting. Using a legitimate image to build a Golang binary with Certutil is not very common in our experience or typical and something we are tracking closely. It’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR detection methodologies in mind.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, James Webb Space Telescope)

[adrotate banner=”5″]

[adrotate banner=”13″]