Golang-based Malware Campaign Relies on James Webb Telescope's Image

A new hacking campaign is exploiting the notorious deep field image taken from the James Webb telescope alongside obfuscated Go programming language payloads to infect systems.

The malware was spotted by the Securonix Threat research team, who is tracking the campaign as GO#WEBBFUSCATOR.

“Initial infection begins with a phishing email containing a Microsoft Office attachment,” the security experts wrote in an advisory. “The document includes an external reference hidden inside the document’s metadata which downloads a malicious template file.”

Securonix said that, in a way comparable to that of a traditional Office macro, the template file contains a VB script (an Active Scripting language developed by Microsoft and modeled on Visual Basic) that will automatically start the first stage of code execution for this attack once the user enables macros.

After deobfuscating the code, the security experts saw the malware execute a command that downloaded an image file, used certutil.exe (a Windows command-line program installed as part of Certificate Services) to decode it into a binary and then finally executed it.

The image file itself executed as a standard .jpg file and showcased a deep field photo taken from the James Webb telescope. However, when inspected with a text editor, Securonix saw the image contained malicious Base64 code camouflaged as an included certificate. 

“At the time of publication, this particular file is undetected by all antivirus vendors according to VirusTotal,” the advisory reads.

The security researchers also explained that using a legitimate image to build a Golang binary with Certutil is not very common and, therefore, something the team is tracking closely. 

“It’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-endpoint detection and response (EDR) detection methodologies in mind,” wrote Securonix.

The malware also shows that Golang is still popular among hackers. In fact, the advisory detailing its discovery comes days after Trend Micro spotted a new piece of targeted ransomware created in the Go programming language.

What’s Hot on Infosecurity Magazine?