James Webb Space Telescope Images are Being Used by Hackers to Hide Malware

It seems the images from the James Webb Space Telescope have more than just highly detailed photos of the stars and galaxies.

Threat analysts from Securonix have discovered that at least some of Webb's images have been infected with malware that could invade people's privacies.

Securonix is a cybersecurity company that offers "next generation security analytics and operations management platform" to the public, per the company's About Us page.

GO#WEBBFUSCATOR Malware Details

Researchers from Securonix mentioned in a blog post that they have spotted a new malware campaign dubbed "GO#WEBBFUSCATOR."

This malware relies on phishing emails, malicious documents, and space images from Webb to spread itself, per Bleeping Computer.

The threat actor, or the one who created the malware, wrote GO#WEBBFUSCATOR in Golang, a programming language popular among cybercriminals due to its ability to cross platforms and offers increased resistance to reverse engineering and analysis.

However, as of the writing of this article, the payloads dropped by the threat actor are currently not marked as malicious by antivirus engines on the VirusTotal scanning platform.

The malware first infects a victim's computer through a phishing email containing a Microsoft Office attachment which includes an external reference hidden inside the attachment's metadata.

This attachment, when opened, will download and save a malicious template file into the victim's computer, which contains a VB script that initiates the first stage of code execution for this attack once the user enables macros.

Once the victim enables macros, the malicious VBA in question will be auto-executed and deobfuscated. Afterward, the deobfuscated code executes a command to download a file named OxB36F8GEEC634.jpg and would use certutil.exe to decode it into a binary and execute it.

The jpg file shows the galaxy cluster SMACS 0723, which was one of Webb's first images published by NASA in July.

However, if the file is opened with a text editor, the image will reveal Base64 code disguised as an included certificate.

Although not malicious, the payload is saved into a built Windows executable file called "msdllupdate.exe."

Based on what can be observed through dynamic malware analysis, the malicious executable establishes a DNS connection to the command and control server and sends encrypted queries, which can be decrypted on the C2 server.

The C2 server can respond to the malware by setting time intervals between connection requests or sending out commands to execute through the Windows cmd.exe tool.

How To Avoid GO#WEBBFUSCATOR

Since the malware primarily spreads itself through phishing emails, it is highly suggested to avoid opening suspicious emails and attachments.

The Federal Trade Commission advises people to use security software on their computers and phones to protect them from new security threats.

Phishing.org also suggests getting an anti-phishing toolbar that would protect web browsers from phishing sites and be wary of pop-ups.

Lastly, the use of high-quality firewalls is recommended to act as buffers between computers and outside intruders.

© 2024 iTech Post All rights reserved. Do not reproduce without permission.

Tags Malware

More from iTechPost

Real Time Analytics