Malware campaign relies on spaces images from James Webb telescope

by | Aug 31, 2022 | News

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

Threat analysts have spotted a new malware campaign dubbed ‘GO#WEBBFUSCATOR’ that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware.

 

The malware is written in Golang, a programming language that is gaining popularity among cybercriminals because it is cross-platform (Windows, Linux, Mac) and offers increased resistance to reverse engineering and analysis.

In the recent campaign discovered by researchers at Securonix, the threat actor drops payloads that are currently not marked as malicious by antivirus engines on the VirusTotal scanning platform.

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

Infection chain

 

The infection starts with a phishing email with an attached malicious document, “Geos-Rates.docx”, which downloads a template file.

That file contains an obfuscated VBS macro that auto-executes if macros are enabled in the Office suite. The code then downloads a JPG image (“OxB36F8GEEC634.jpg”) from a remote resource (“xmlschemeformat[.]com”), decodes it into an executable (“msdllupdate.exe”) using certutil.exe, and launches it.

 

Obfuscated VBS macro (left) and decoded command to download the JPG file (right)
Obfuscated VBS macro (left) and decoded command to download the JPG file (right) (Securonix)

 

In an image viewer, the .JPG shows the galaxy cluster SMACS 0723, published by NASA in July 2022.

However, if opened with a text editor, the image reveals additional content disguised as an included certificate, which is a Base64-encoded payload that turns into the malicious 64-bit executable.

 

Same file on image viewer (left) and on text editor (right)
Same file on image viewer (left) and on text editor (right) (Securonix)

 

The payload’s strings are further obfuscated using ROT25, while the binary uses XOR to hide the Golang assemblies from analysts. On top of that, the assemblies use case alteration to avoid signature-based

Malware functions

 

Based on what could be deduced via dynamic malware analysis, the executable achieves persistence by copying itself to ‘%%localappdata%%\microsoft\vault\’ and adding a new registry key.

Upon execution, the malware establishes a DNS connection to the command and control (C2) server and sends encrypted queries.

“The encrypted messages are read in and unencrypted on the C2 server, thus revealing its original contents,” explains Securonix in the report.

In the case with GO#WEBBFUSCATOR, communication with the C2 server is implemented using `TXT-DNS` requests using `nslookup` requests to the attacker-controlled name server. All information is encoded using Base64.

The C2 may respond to the malware by setting time intervals between connection requests, changing the nslookup timeout, or sending out commands to execute through the Windows cmd.exe tool.

During testing, Securonix observed the threat actors running arbitrary enumeration commands on its test systems, a standard first reconnaissance step.

The researchers note that the domains used for the campaign were registered recently, the oldest one on May 29, 2022.

Securonix has provided a set of indicators of compromise (IoCs) that includes both network and host-based indicators.

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This