Space phishing: James Webb telescope images exploited to spread malware

Security researchers of Securonix have identified a new malware campaign dubbed “GO # WEBBFUSCATOR” that exploits phishing emails, forged documents andspace images from the James Webb telescope to spread malicious executables.

Malware written in Golanga programming language particularly popular among threat actors as it allows the creation of cross-platform malware that can operate on Windows, Linux and Mac operating systems, with the ability to offer greater resistance to the analysis and reverse engineering techniques that security researchers they use to understand the functioning mechanism of the malware and elaborate the appropriate countermeasures.

The campaign is particularly sophisticated and is based on a phishing email containing a document called “Geos-Rates.docx” which in turn downloads a template file. This file contains an obfuscated VBS macro that executes itself if macros are enabled in Office. At this point a JPG image is downloaded from a remote resource, which is decoded into the executable file “msdllupdate.exe” via certuti.exe. The executable file starts.

In an image viewer the downloaded JPG shows the galaxy cluster SMACS 0723, published by NASA in July 2022. If the image is opened with a text editor, it is observed the presence of additional content disguised as an included certificate, that a payload that turns into the malicious 64-bit executable. Payload strings are further obfuscated with other techniques to hinder the search, analysis and tracking of suspicious activity.

According to researchers, the malware also has the ability to build itself one persistence in the system and subsequently communicate with a command & control server from which it awaits instructions and possible commands.

Securonix warnsthat the payload is currently not recognized as malicious by antivirus engines, and that the domains used for the campaign were recently registered with the oldest of them dating back to May 29, 2022. The researchers shared the indicators of compromise for this threat.