Posted on September 1, 2022 at 2:59 PM
A threat actor has been hiding malware onto Windows computers through an image taken by the James Webb Space Telescope, according to reports.
Currently, antivirus programs are unable to detect the malware-laden image, which makes it highly potent and dangerous. The malware is written in Golang, a programming language that has gained popularity among threat actors due to its cross-platform.
Cybersecurity firm Seuronix, which got a sample of the program, said the threat actor is targeting victims via phishing emails that contain malicious office documents. The document is designed by the operators to plant the malware on the target’s system. The process also includes an image taken by the James Web Space Telescope, according to Securonix.
The image is a jpg file and has the physical appearance of the popular photo of the region of space known as SMACS 0723. This was captured earlier this year by the space telescope.
However, Securonix stated that the malware-infested file contains hidden computer code, and can become visible when a text editor is used to inspect the image.
The Image Contains A Malicious Base64 Code
In a blog post by Securonix, the security researchers noted that a malicious Base64 code has been planted on the image. The code fronts as an included certificate, but steals the data of users once installed.
The hidden computer code functions as the major building block for the main malware program. The attack deciphers the computer code from the image file into a Windows 64-bit program known as msdllupdate.exe. This can further be executed on the Windows system.
Based on the analysis run by Securonix, the malware also tries to remain persistent on the affected system. It does this by planting a binary program into the registry Run Key of Windows.
The action can force the system to launch the malware whenever the system boots up. Additionally, with the way the malware is designed, it received commands and communicates with the threat actor’s command and control (C2) server. This ensures that the malware allows threat actors to take over an infected system remotely.
Images Have Been Used To Plant Malware In The Past
Threat actors have used images to plant malware in the past, so this may not come as a surprise to observers. Security researchers have continuously discovered threat actors using images as a way of hiding their malware infections. In some cases, they can use it to link up with malicious programs.
However, Securonix noted that the malicious files are limited in their attack strength. They can only start their attack when the ‘child processors’ and macros are enabled for Office products.
Otherwise, the tactics of the threat actors won’t be able to auto-execute. Securonix has also provided more recommendations on ways of detecting and stopping an attack.
Go binaries have the added advantage of making sure that reverse engineering is a lot more difficult compared to malware written in other languages.
Also, phishing emails that contain Microsoft Office attachments can serve as a point of entry for the attack chain. Once it is opened, creates an obfuscated VBA which can be auto-executed when the target enables macros.
The binary, which is a Windows 64-bit executable, has a size of 1.7MB. It is not only designed to stay hidden from antimalware engines but can be obscured through a technique known as gobfuscation. The technique utilizes a Golang obfuscation tool that is available to the public on GitHub.
The Chachi Threat Actors Also Use The Gobfuscate Library
The Securonix researchers also noted that the gobfuscate library has been previously used by the hackers behind remote access Trojan ChaChi, which was deployed by the PYSA operators. The threat actors use the library as part of the C2 framework and part of their toolset.
Also, the threat actors ensure that they maintain communication with the malware through encrypted DNS queries and responses. This allows the malware to follow commands delivered through the Windows Command Prompt. According to the report, the campaign’s C2 domain was registered earlier in May this year.
Many threat actors are now updating their campaigns following Microsoft’s decision to block macros by default across Office apps. Now, most f the adversaries have shifted to ISO files and rogue LINK for deploying malware.
The GO#WEBBFUSCATOR actors have not embraced a similar attack method, but they are more likely to do so in the future.