Researchers at Secureonix have discovered a new malware campaign dubbed ‘GO#WEBBFUSCATOR’ where threat actors are using images from the newly-operational James Webb deep space telescope to smuggle a malicious executable past antivirus engines.
The attack involves phishing users into downloading a malicious .docx file that contains VBS macros. These macros download the innocuous-looking James Webb .jpg file originally published by NASA in July 2022. However, within the .jpg file is a block of base64 encoded data that, when decoded, results in a malicious 64-bit executable originally written in Golang. The payload also uses several obfuscation techniques to stump analysts and evade antivirus.
The malware copies itself to the %APPDATA%localmicrosoftvault directory and adds a registry key that provides persistence. It then begins Command and Control (C2) operations using DNS queries with encrypted data attached. Under observation, Securonix researchers noticed the threat actors executing arbitrary commands consistent with the enumeration phase of an infection.
While the vessel for the malicious payload is novel, the method of infection is quite common. Phishing combined with malicious docx macros represents a vast amount of modern attack techniques. As such, it is highly advised to provide training for users on how to spot and report phishing emails. Disabling macros by default in programs like Microsoft Word and Excel is also recommended and eliminates a wide variety of attack vectors.
In the event that malware such as this is executed in an organization’s environment, monitoring Windows registry alterations can be very useful for spotting attacks in progress, especially those modifying AutoRun registry keys, which are commonly used for persistence. Monitoring irregular DNS queries can help spot both DNS-based C2 behavior, as well as DNS-based data exfiltration techniques.