Hackers use images taken by James Webb Space Telescope to hide malware

Golan-based malware campaign leverages NASA's JWST images to lure people and deploy malware

Hackers leverage the hype of space imagesMalware actors hide threats in James Webb telescope images

The James Webb Space Telescope has been delivering amazing images from space and taking over social media these days after the successful launch. Hackers are now taking advantage of the hype by hiding their malware in telescope images.[1] The malware campaign was discovered by threat researchers and has been named “GO#WEBBFUSCATOR”. The hackers behind it use emails, documents, and particular images of space from the James Webb Space Telescope to spread malware.[2]

The use of Golang to write the malware helped attackers because the language works on all platforms and can evade threat analysis.[3] The campaign was discovered and analyzed by the researchers at Securonix. The team points to the growth of particular adoption of Go among threat actors. The programming language effectively allows malicious actors to leverage a common codebase to target various operating systems.

The particular Go binaries also add the benefit of rendering analysis, and reverse engineering becomes difficult. This is the opposite with malware written in other languages like C++, so the prolonged analyst and failed detection attempts allow malware to be persistent and spread around for a longer period.

Malicious documents in email attachments got used for spreading

The research shows that hackers used emails with the attached documents to install the malware. Documents added to email messages were named Geos-Rates.docx and, once downloaded, loaded the template file on the machine. The image viewer shows the image as the galaxy cluster that was shared by NASA in July this year.[4] If a file like this is opened with the text editor instead of an image viewer, it reveals the additional content, which is the malicious executable.

The JPG image decodes the file into the executable file and launches the payload. Payload strings are further triggered, and the detection can still be avoided due to the Golang assemblies. The executable is also obscured by means of a method called gobfuscation that uses the Golang tool publicly available on GitHub. Other threat actors have been using these libraries before, ChaChi, and other remote access trojans employed the technique.[5] PYSA ransomware uses this in its toolset alongside the command and control framework.

The function of the malicious piece

The malware spread using these methods got analyzed, and it was revealed that executables achieve persistence by copying the file in other folders on the system and adding the new registry key in the Windows registry. Once the malware is launched, it establishes the DNS connection to the c2 server and can send the encrypted queries. The server can respond to the malware by setting time intervals between those connection requests. It alters the nslookup timeout, and sends out commands to execute them via the Windows Command Prompt tool.

Researchers also revealed that threat actors run the arbitrary enumeration command on the test system. This is a standard first step when it comes to reconnaissance attacks. Domains used in these attacks were recently registered since the oldest one was registered on May 29, 2022. This means that attacks are new and not particularly targeted, but the advanced adaptations of particular toolsets and language might show that attack campaigns might not be stopping.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions