Researchers at Secureonix have discovered a new malware campaign dubbed ‘GO#WEBBFUSCATOR’ where threat actors are using images from the newly-operational James Webb deep space telescope to smuggle a malicious executable past antivirus engines.
The attack involves phishing users into downloading a malicious .docx file that contains VBS macros. These macros download the innocuous-looking James Webb .jpg file originally published by NASA in July 2022. However, within the .jpg file is a block of base64 encoded data that, when decoded, results in a malicious 64-bit executable originally written in Golang. The payload also uses several obfuscation techniques to stump analysts and evade antivirus.
The malware copies itself to the %APPDATA%\local\microsoft\vault directory and adds a registry key that provides persistence. It then begins Command and Control (C2) operations using DNS queries with encrypted data attached. Under observation, Securonix researchers noticed the threat actors executing arbitrary commands consistent with the enumeration phase of an infection.