untitled design

In images from the latest NASA telescope, malware is embedded that is not visible to antiviruses

Threat analysts at Securonix have discovered a new GO#WEBBFUSCATOR malware campaign: attackers embed a virus in photos from the latest James Webb telescope. There are at least two serious difficulties in this: firstly, the pictures are actually displayed to the user (he may not even notice something was wrong); secondly, this malware is currently not detected by antiviruses (according to the VirusTotal portal). Reported by BleepingComputer.

It all starts with a phishing email with an attached Geos-Rates.docx document, which then downloads a tamplate file. It contains an obfuscated (obfuscated) VBS macro that is automatically executed if macros are available in MS Office on the victim’s computer. The malware then downloads a JPG image (OxB36F8GEEC634.jpg) from a remote resource, decodes it into an executable file (msdllupdate.exe) using certutil.exe, and launches it.

Obfuscated VBS macro (left) and decoded command to load a JPG file (right)

As a result of all this, the user is shown the sensational image of the galaxy cluster SMACS 0723, published by NASA in July 2022. However, if the file is opened in a text editor instead of an image viewer, the user will notice additional content disguised as an included certificate. It is a Base64 encoded payload that turns into a malicious 64-bit executable.

The same file opened in an image viewer (left) and a text editor (right)

The virus itself is written in the Golang language, which is actively gaining popularity among hackers due to its cross-platform (Windows, Linux, macOS) and increased resistance to reverse engineering and analysis. The executable copies itself to %%localappdata%%\microsoft\vault\ and adds a new key to the registry. So far, the capabilities of the malware are not fully known, but experts have already recorded how it executes arbitrary commands through the command line – this is the standard first step for system reconnaissance. Securonix noted that all domains used by attackers were registered recently, the oldest of them was created on May 29, 2022.

Source: Trash Box

You may also like

Most popular