The James Webb Space Telescope’s scientific endeavor has grasped our attention, reporting news about the early universe. As is typical with trends, threat actors followed, exploiting one of Webb’s pictures to deliver the payload.
On July 12, 2022, NASA’s telescope shared its first deep field image (which allows to capture distant stars and galaxies), picturing thousands of galaxies, some as old as 13 billion years. The image soon went viral, and it didn’t take long for malicious hackers to take advantage of our desire to explore the unknown.
The Securonix Threat research team has recently discovered that attackers leveraged Webb’s deep field image and obfuscated Golang programming language payloads to infect the target system with malware.
Golang-based malware is increasingly popular with advanced persistent threat (APT) groups like Mustang Panda, as Go binaries are much more challenging to analyze and reverse engineer. Go is flexible when it comes to cross-platform support and compilation.
“Malware authors are able to compile code using a common codebase for multiple platforms such as Windows and *NIX operating systems,” Securonix noted.
Initial infection begins with a phishing email containing a Microsoft Office attachment with reference to a malicious external file, and the attack starts upon a recipient opening the attachment.
Eventually, an image of the first deep field by the Webb telescope would pop up on a screen. Even though it looks like a regular .jpg file, it turns out to be a Base64-encoded payload when inspected with a text editor.
Securonix said that the executed malware was observed making unique DNS connections and could be used for ‘either establishing an encrypted channel for command and control or exfiltrating sensitive data.’
“It’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR detection methodologies in mind,” Securonix concluded.
Your email address will not be published. Required fields are markedmarked