Oh no, that James Webb Space Telescope snap might actually contain malware
Is nothing sacred?
Scumbags are using a photo from the James Webb Space Telescope to smuggle Windows malware onto victims' computers – albeit in a roundabout way.
The malicious code, written in Go, is hidden in a .jpeg of the stunning first proper image taken by the recently deployed spacecraft.
More specifically, the obfuscated code is Base64-encoded and included in the .jpeg disguised as a certificate. The payload, dubbed GO#WEBBFUSCATOR, was not detected as malicious by antivirus engines in VirusTotal. This is all according to researchers at cybersecurity firm Securonix, who said they spotted and inspected the .jpeg's contents.
The malware "incorporates an equally interesting strategy by leveraging the infamous deep field image taken from the James Webb telescope and obfuscated Golang programming language payloads to infect the target system," Securonix's D. Iuzvyk, T. Peck, and O. Kolesnikov wrote in a report this week.
This cybercrime campaign is notable not only for the use of the telescope image but also for using Go, which is becoming increasingly popular among miscreants, such as China-linked Mustang Panda, to create binaries that hamper detection and analysis. Depending on the analyst and the tools at their disposal, Go executables can be more tedious to reverse engineer than other compiled code.
The flexible programming language also provides cross-platform – at least Windows, Mac, and Linux – support and compilation, so "malware authors are able to compile code using a common codebase for multiple platforms such as Windows and *NIX operating systems," the trio wrote. There also are malware frameworks such as ColdFire and OffensiveGolang that can be used to create malware and executables from Go source.
Cybersecurity experts for more than a year have been tracking the growing use of Go by cybercriminals, including ransomware slingers. CrowdStrike wrote in a report late last year said that there was an 80 percent increase in malware samples written in Go from June to August 2021.
Go isn't the only new-ish language being leveraged by threat groups. Rust also is being embraced by such gangs, including the developers behind the ransomware from Hive and BlackCat. Like Go, Rust can be more difficult to detect and reverse-engineer. It might also just be a reflection of the fact that people are using Go and Rust more in production.
- That 'clean' Google Translate app is actually Windows crypto-mining malware
- China-linked APT40 gang targets wind farms, Australian government
- Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers
- 77% of security leaders fear we're in perpetual cyberwar from now on
The infection starts with a phishing email that contains a Microsoft Office attachment named Geos-Rates[.]docx that, when opened, downloads a malicious template file that contains an obfuscated VBA macro that automatically executes – if the macro is allowed to run. Microsoft last month blocked internet-source macros by default in Office to improve security, which has pushed threat groups to find alternative methods for launching attacks, such as using Windows LNK files.
If the script runs, it downloads the image file OxB36F8GEEC634[.]jpg that appears to be the Webb telescope photo .jpeg. Once fetched, the code uses certutil.exe to decode it into a binary and execute it.
The binary is a Windows 64-bit executable that is about 1.7MB in size and uses a number of obfuscation techniques to hide from security services and hamper analysis. Strings within the code were obfuscated using ROT25 and the binary is all messed up as a result of Gobfuscation, a Go-based tool that is available on GitHub. See the above write-up for the full details on what to look for, if you're concerned this may have landed on your network.
The executed malware "was observed making unique DNS connections," the researchers wrote. "By looking at the URL strings we can determine that the binary file was leveraging a DNS data exfiltration technique by sending unique DNS queries to a target C2 DNS server." That is to say, it was using DNS queries to leak data from the system.
They added that the tactics, techniques, and procedures (TTPs) "observed with GO#WEBBFUSCATOR during the entire attack chain are quite interesting. Using a legitimate image to build a Golang binary with Certutil is not very common in our experience or typical and something we are tracking closely." ®