Space nerds beware: James Webb images used to spread malware

Cyber criminals are exploiting some of the astounding new images captured by Nasa’s James Webb Space Telescope to indiscriminately spread malware to their targets, according to intelligence shared by the threat research team at cloud security analytics specialist Securonix.

In a new report, Securonix analysts D Iuzvyk, T Peck and O Kolesnikov said they had found a unique sample of a persistent Golang-based campaign, which they are tracking as Go#Webfuscator.

As previously explored by Computer Weekly, Golang- or Go-based malwares are increasingly popular among cyber criminals, in particular because their binaries are harder to analyse and reverse engineer when compared to C++ or C#, and because the language is more flexible in terms of cross-platform support, which means they can target more systems at once without needing to be fiddled with. Advanced persistent threat (APT) groups such as Mustang Panda are fans of it for these reasons.

Go#Webfuscator itself is spread via phishing emails containing a Microsoft Office attachment which contains, tucked away in its metadata, an external reference that pulls a malicious template file containing a Visual Basic script to initiate the first stage of code execution, if the victim is unfortunate enough to enable macros.

After deobfuscating the Visual Basic code, the Securonix team found it executed a command to download a .jpg image file and used the certutil.exe command line program to decode it into a binary and then execute it.

The .jpg in question is the now-famous Webb’s First Deep Field image, taken by the James Webb Space Telescope, which shows the SMACS 0723 cluster of galaxies in extraordinary detail, including some of the faintest and most distant objects ever observed in the infrared spectrum.

In this case, however, it contains malicious Base64 code disguised as an included certificate that, as of Securonix’s disclosure, was not detected by any antivirus software. When decrypted, this in turn is saved into a built Windows executable file, the Golang binary – that is to say, the malware itself.

Go#Webfuscator is a remote access trojan, or RAT, that calls back to its command and control (C2) infrastructure and serves to establish an encrypted channel for control of the victim’s system, or to deliver secondary payloads to exfiltrate sensitive data, which could include passwords, account details and financial information, making its victims vulnerable to fraud or identity theft further down the line.

“Overall, TTPs [tactics, techniques and procedures] observed with Go#Webfuscator during the entire attack chain are quite interesting. Using a legitimate image to build a Golang binary with certutil is not very common in our experience or typical and something we are tracking closely,” the team wrote in their disclosure.

“Consumers must be wary of any unsolicited emails that use the James Webb Space Telescope as their topic and should avoid any Microsoft Office attachments that contain a .jpg image, as this is being used to automatically deliver the malicious payload”

“It’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR [endpoint detection and response] detection methodologies in mind.”

Ray Walsh, a digital privacy expert at ProPrivacy, said: “Consumers must be wary of any unsolicited emails that use the James Webb Space Telescope as their topic and should avoid any Microsoft Office attachments that contain a .jpg image, as this is being used to automatically deliver the malicious payload.

“Consumers are reminded that these kinds of attacks rely on Office being set to automatically execute macros. We recommend that all Office users change their macro settings to notify them before a macro is executed, as this will help to prevent malware from self-installing.”

For security professionals, further details of the campaign, including indicators of compromise (IoCs), Mitre ATT&CK techniques and Yara rules, are available from Securonix.