Researchers over at cybersecurity firm Securonix have discovered a novel malware campaign called ‘GO#WEBBFUSCATOR’ using images from the James Webb space telescope to spread malware under the radar. The campaign also employs phishing emails and malicious documents to do the same.
To make matters worse, the malware is written in Golang, a programming language popular for its cross-platform support and increased resistance to reverse engineering and analysis. This allows the malicious payloads from the campaign to pass by undetected from any antivirus engines on Virustotal.
The campaign otherwise is pretty standard. The target is sent a phishing email with a malicious document called “Geos-Rates.docx” which downloads a template file on the victim’s computer. This malicious file contains a hidden VBS macro that exploits the long-standing Microsoft Office Macro loophole to download a JPG from a remote source, turn it into an executable and launch the malware.
The Microsoft Office suite automatically executes any VBS macros provided macros are enabled in the Office suite. The downloaded JPG file is from the James Webb telescope showing the galaxy cluster SMACS 0723, published by NASA in July this year.
What the image actually contains is a Base64-encoded payload disguised as a certificate which turns the image into a malicious 64-bit executable file which finally installs the malware. The payload is further hidden using the ROT25 encryption cypher, and the executable file uses XOR to hide its Golang assembly files. The assembly files themselves avoid signature-based detection using case alteration.
Once installed and executed, the malware connects to a command and control centre using DNS and starts sending encrypted messages encoded using Base64.
The command server, in turn, responds by sending commands to be executed by the Windows Command Prompt. It can also change the time interval between the requests as well as the time between DNS lookups. According to Securonix, the malware can also make itself persistent by making a new registry key and copying itself to the “%%localappdata%%\microsoft\vault\” directory.