By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Notification
Latest News
Malicious WhatsApp spreads through legitimate applications
October 16, 2022
Scammers fake Windows problems, forcing users to call them back
October 15, 2022
Another 0-day bug has been found in Microsoft Exchange, and LockBit ransomware operators are exploiting it
October 15, 2022
Microsoft has fixed more than 80 vulnerabilities, but there are still no patches for ProxyNotShell
October 14, 2022
Roskomnadzor regularly updates the list of blocked VPN services
October 14, 2022
Aa
  • News
  • Tutorials
  • Security InsiderComing Soon
  • Expert InsightComing Soon
Reading: Malware hides in images from the James Webb telescope
Share
Security Parrot - Cyber Security News, Insights and ReviewsSecurity Parrot - Cyber Security News, Insights and Reviews
Aa
Search
  • News
  • Tutorials
  • Security InsiderComing Soon
  • Expert InsightComing Soon
Follow US
Security Parrot - Cyber Security News, Insights and Reviews > News > Malware hides in images from the James Webb telescope
News

Malware hides in images from the James Webb telescope

Last updated: 2022/08/31 at 9:50 PM
Security Parrot Editorial Team Published September 1, 2022
Share
SHARE

Securonix researchers have noticed an interesting malware campaign that distributes malware called GO#WEBBFUSCATOR written in Go. To spread it, hackers use phishing emails, malicious documents, and images from the James Webb telescope.

Typically, infection starts with a phishing email with a malicious document Geos-Rates.docx attached, which downloads a template file. This file, in turn, contains an obfuscated VBS macro that runs automatically if macros are enabled in Office.

Then, an image in JPG format (OxB36F8GEEC634.jpg) is downloaded from a remote resource controlled by the attackers (xmlschemeformat[.]com). The picture is decoded into an executable file (msdllupdate.exe) using certutil.exe, after which the file is launched.

Interestingly, if you simply open this malicious .JPG, you can see the galaxy cluster SMACS 0723, taken by the James Webb Telescope and published by NASA in July 2022. If you open the file in a text editor, you can find additional content, namely the payload encrypted with Base64, which eventually turns into a malicious executable file.

Dynamic analysis of the malware showed that the executable file provides the malware with a stable presence in the system by copying itself to “%%localappdata%%\microsoft\vault\” and creating a new registry key. Once launched, the malware establishes a DNS connection with the command and control server and sends encrypted requests to it.

“In the case of GO#WEBBFUSCATOR, communication with the command and control server is implemented using TXT-DNS requests and nslookup requests. All data is encoded using Base64,” the researchers say.

The command and control server can respond to malware by setting time intervals between connection requests, changing the nslookup timeout, or sending commands to be executed using cmd.exe. So, Securonix experts observed how attackers ran arbitrary commands listed in test systems, that is, they carried out initial reconnaissance on infected machines.

The researchers note that the domains used in this campaign were registered recently, the oldest of which is dated May 29, 2022.

Weekly Updates For Our Loyal Readers!

Security Parrot Editorial Team September 1, 2022
Share this Article
Facebook Twitter Email Copy Link Print

Archives

  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020

You Might Also Like

News

Malicious WhatsApp spreads through legitimate applications

October 16, 2022
News

Scammers fake Windows problems, forcing users to call them back

October 15, 2022
News

Another 0-day bug has been found in Microsoft Exchange, and LockBit ransomware operators are exploiting it

October 15, 2022
News

Microsoft has fixed more than 80 vulnerabilities, but there are still no patches for ProxyNotShell

October 14, 2022

© 2022 Parrot Media Network. All Rights Reserved.

  • Home
  • Parrot Media Group
  • Privacy Policy
  • Terms and Conditions
Join Us!

Subscribe to our newsletter and never miss our latest news, podcasts etc..

Zero spam, Unsubscribe at any time.

Removed from reading list

Undo
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?