Hackers Are Sneaking Malware Into James Webb Images

In July 2022, NASA released the first images captured by the James Webb telescope. Among them was a stunning capture of the galaxy cluster called SMACS 0723. Back then, NASA called it the deepest infrared image of the universe, while the thousands of galaxies making an appearance in the monumental picture were touted to be the faintest objects ever observed in the infrared region of the electromagnetic spectrum. However, the same image is now being weaponized by hackers to seed malware and wreak all sorts of havoc from a remote server.

The folks over at security firm Securonix have detailed a malware seeding campaign called GO#WEBBFUSCATOR that is exploiting the Webb telescope's famous click to seed malware. The biggest advantage that comes with using Golang programming language is that it is natively cross-platform compatible, which means the same codebase can be deployed across different target platforms such as Linux, macOS, and Windows (via Cyware). In the latest example of Golang being abused for malicious goals, bad actors are delivering a malware payload that is virtually undetectable and involves the celebrated Webb image of the cosmos to hide malicious scripts.

To start the complex chain, hackers first seed a bogus email that contains a malicious Office attachment labeled (in Securonix's case, at least) Geos-Rates.docx in the inbox. The document's metadata actually hides (or obfuscates, which is where the campaign name comes from) metadata that can trigger a file download. The destination for the download URL further tries to pass off as a legitimate Microsoft web link, the security researchers explained in their blog post.

A sneaky but damaging attack

Once the document is opened, the auto-download script saves the malicious code. The code then automatically executes itself to perform its intended job. Subsequently, the code injected into the system downloads a jpg image file that looks like the snap captured by the Webb telescope. However, analysis of the image using a text editor reveals that it actually hides a Base64 code, which itself tries to avoid suspicion by passing itself off as a legitimate certificate. This is actually the payload, which transforms into a 64-bit script ready to be executed and deal damage.

What truly elevates the threat level here is the fact that the malicious Base64 code moves past "all antivirus" systems without ringing any system-level threat alarms, Securonix says. Multiple layers of encoding and obfuscation are employed for the executable payload to evade detection. As soon as the payload is executed, it links the target system to a remote server, leaving the PC at the mercy of a hacker. Once a connection is established, encrypted data packets are sent to the hacker.

Securonix notes, "This practice can be used for either establishing an encrypted channel for command and control, or exfiltrating sensitive data." Moreover, the malware tricks the Windows registry Run key and becomes persistent, which means a reboot won't expel the malicious code. At this stage, it is up to the bad actor's skills and intentions to perform nuisances ranging from remote system takeover for extracting ransom to stealing data and spying.