Images from the James Webb Space Telescope are, to put it simply, beautiful. But cybercriminals are among the reasons why the world can’t have nice things, since said images are being used as a new vector to spread malware. Security analytics platform Securonix has found a new malware campaign that it calls GO#WEBBFUSCATOR, which hides malware in a copy of Webb’s First Deep Field.
As is frequently the case these bad actors start by trying to get you to download a suspicious Microsoft Office file with a phishing email. The attachment hides a URL which downloads a file with a script, which activates when certain Microsoft Word macros are enabled. That file then downloads a contaminated copy of Webb’s First Deep Field hiding malicious code in the guide of a certificate. The malware is ultimately used to run “arbitrary enumeration commands” on an infected system.
Popular Science quotes Augusto Barros, VP at Securonix, as saying that there are a couple of reasons why the James Webb Space Telescope image was used as a vector to spread this malware. One is the file’s relatively large size, due to the original image’s high resolution, which helps it evade suspicion.
Second is the fact that it’s an image that’s been widely shared for the past couple of months. This usually means that when the image gets flagged by an antivirus software, potential victims are more likely to give it a pass. On that note, Securonix also notes that most antivirus programs are not able to detect the malicious code in the image.
One final nerdy detail about this new malware campaign is that it uses Golang, Google’s open-source programming language. Securonix notes that this language is rising in popularity among cybercriminals because of its flexible cross-platform support. Another element to it is the difficulty in analysing and reverse engineering malware using this language compared to more conventional options.
(Source: Securonix, Popular Science via Engadget)
The post Cybercriminals Hide Malware Inside James Webb Telescope Image appeared first on Lowyat.NET.