And why not, considering that trendsploitation distracts and disarms victims seeing a famous image pop up on their compromised machine!
A new cyber threat campaign has been spotted leveraging the famous deep field image taken from the James Webb telescope, and also obfuscating Golang programming language (Go) payloads to infect the target systems with malware.
Golang-based malware is gaining popularity with APT groups such as Mustang Panda. There are a few reasons why these APTs may be seen as moving to the Go platform. Firstly, Go binaries are much more difficult to analyze and reverse engineer compared to C++ or C# compiled binaries.
Go is also highly flexible in terms of cross-platform support and compilation. Malware authors are able to compile code using a common codebase for multiple platforms such as Windows and UNIX-like operating systems.
Additionally, there are several prominent malware frameworks such as ColdFire and OffensiveGolang designed to produce Go-based malware and executables.
Revealing these findings, Securonix analysts have identified a unique sample of a persistent Golang-based attack campaign tracked by Securonix as GO#WEBBFUSCATOR. Initial infection begins with a phishing email containing a Microsoft Office attachment that hides an external reference inside the document’s metadata, which then downloads a malicious template file from a web page masquerading as a legitimate Microsoft resource.
The malicious template contains a VB script that initiates code execution if macros are enabled. The unique thing henceforth is that the malware downloads a copy of James Webb deep field image (in JPG format) that embeds malicious Base64 code disguised as an included certificate supported by certutil.exe, a legitimate tool from Microsoft. The extracted code is then used to build a Windows executable called “msdllupdate.exe” that subsequently employs several obfuscation techniques to evade detection of its activities.
As per cyber hygiene best practices, organizations should monitor for suspicious and persistent DNS queries and/or repeated nslookup requests, disallow use of Office Macros, prevent Office products from spawning child processes, and educate all staff to avoid downloading unknown email attachments from non-trusted sources.