James Webb telescope becomes a vector for malware propagation

September 3, 2022
James Webb Telescope Vector Malware Propagation

The James Webb telescope becomes the newest vector for another malware campaign, dubbed GO#WEBBFUSCATOR, wherein its operators spread malware through phishing emails, malicious files, and space images captured by the world-renowned optical telescope.

Based on the investigations, the malware is a Golang-based payload that can affect cross-platform of multiple operating systems and could effectively evade security detection, analysis, and reverse engineering.

The threat operators initially send phishing emails that enclose malicious docs that will download a template file containing an obfuscated VBS macro once opened. This template file automatically executes if the victim’s Office suite is macro-enabled. Then, the code will download a [.]JPG image file from the threat operators’ remote server, decode the image file into an executable, and eventually launches it.

 

The [.]JPG image file from the attached malicious document on the phishing email shows a photo of the galaxy cluster SMACS 0723 captured by the James Webb telescope and published by NASA last month.

 

Security researchers tried to open the image file with a text editor, revealing additional hidden content disguised as a certificate. The fake certificate is a payload encoded in Base64 that will turn into a 64-bit malicious executable after some series of processes.

A dynamic malware analysis was conducted to study the campaign. The analysis showed that the executable could achieve persistence by duplicating itself on a ‘localappdata’ folder and adding a new registry key.

The malware will then establish a DNS connection to the threat operators’ C2 server to forward encrypted queries to be decrypted upon reaching the remote server. The researchers explained that all data carried by the malware were encoded using Base64, including its communication with the hackers’ remote server.

At the end of the operators from the C2 server, they respond to the malware through time intervals set between connection requests. They also change the ‘nslookup’ timeout and send commands through the cmd[.]exe tool of the Windows OS.

The first domain registered and used for the GO#WEBBFUSCATOR campaign leveraging James Webb telescope images to spread malware was on May 29, while a few newer malicious domains have been spotted being registered recently.

About the author