Stories
Slash Boxes
Comments

SoylentNews is people

Hackers Hide Malware in Stunning Images Taken by James Webb Space Telescope

posted by hubie on Friday September 02 2022, @08:39AM   Printer-friendly
from the galactic-malware dept.
Security News

upstart writes:

Hackers Hide Malware in Stunning Images Taken by James Webb Space Telescope:

A persistent Golang-based malware campaign dubbed GO#WEBBFUSCATOR has leveraged the deep field image taken from NASA's James Webb Space Telescope (JWST) as a lure to deploy malicious payloads on infected systems.

The development, revealed by Securonix, points to the growing adoption of Go among threat actors, given the programming language's cross-platform support, effectively allowing the operators to leverage a common codebase to target different operating systems.

[...] Phishing emails containing a Microsoft Office attachment act as the entry point for the attack chain that, when opened, retrieves an obfuscated VBA macro, which, in turn, is auto-executed should the recipient enable macros.

The execution of the macro results in the download of an image file "OxB36F8GEEC634.jpg" that seemingly is an image of the First Deep Field captured by JWST but, when inspected using a text editor, is actually a Base64-encoded payload.

[...] The binary, a Windows 64-bit executable with a size of 1.7MB, is not only equipped to fly under the radar of antimalware engines, but is also obscured by means of a technique called gobfuscation, which makes use of a Golang obfuscation tool publicly available on GitHub.

[...] Microsoft's decision to block macros by default across Office apps has led many an adversary to tweak their campaigns by switching to rogue LNK and ISO files for deploying malware. It remains to be seen if the GO#WEBBFUSCATOR actors will embrace a similar attack method.

"Using a legitimate image to build a Golang binary with Certutil is not very common," the researchers said, adding, "it's clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR detection methodologies in mind."

On the other hand, maybe they won't have to use rogue LNK and ISO files after all: Microsoft Rolls Back Blocking Office VBA Macros by Default

Original Submission

Related Stories

Microsoft Rolls Back Blocking Office VBA Macros by Default [* AC Friendly *] 11 comments

upstart writes:

Microsoft is reworking its Office VBA macro blocks:

Microsoft is rolling back a planned change to block Visual Basic for Applications (VBA) macros by default in a variety of Office apps. Announced earlier this year, Microsoft had been planning to prevent Office users from easily enabling certain content in files downloaded from the internet that include macros, in a move to improve security against malicious files. Microsoft had been testing this change ahead of a planned rollout to all Microsoft 365 users in June, but suddenly reverted the block on June 30th.

BleepingComputer reports that Microsoft notified IT admins last week that it was rolling back the VBA macro block based on feedback from Office users testing the changes. "We appreciate the feedback we've received so far, and we're working to make improvements in this experience," reads a Microsoft 365 message.

The unusual rollback has surprised some Microsoft 365 users, as many had been waiting years for Microsoft to be more aggressive about blocking macros from Office files. Hackers have been regularly targeting Office documents with malicious macros, and Office has typically prompted users to click to enable macros running with a simple button. Microsoft's planned changes meant Office users would only be able to enable the macros by specifically ticking an unblock option on the properties of a file.

See also: Microsoft rolls back decision to block Office macros by default

Original Submission

This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
Hackers Hide Malware in Stunning Images Taken by James Webb Space Telescope | Log In/Create an Account | Top | 3 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 5, Insightful) by FatPhil on Friday September 02 2022, @09:09AM (2 children)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Friday September 02 2022, @09:09AM (#1269861) Homepage
    It's the other way round. Hackers have added JWST references to their malware. Nothing's been added to any JWST images.

    Microsoft office

    Macros

    FFS, is this still the '90s?
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

    • (Score: 3, Insightful) by Rich on Friday September 02 2022, @01:09PM (1 child)

      by Rich (945) on Friday September 02 2022, @01:09PM (#1269894) Journal

      with a size of 1.7MB, [...] to fly under the radar

      I had a Quadra 700 at the beginning of the 90s, which came with 4 MB of RAM and that was quite the luxury option. In the 90s, you wouldn't have needed said "antimalware-engines" to notice a 1.7MB executable hogging your entire machine. :P

      • (Score: 3, Interesting) by inertnet on Friday September 02 2022, @08:13PM

        by inertnet (4071) Subscriber Badge on Friday September 02 2022, @08:13PM (#1269958) Journal

        In the 90s I wrote some code to hide messages in plain text (and reveal them again of course), just for fun, by switching between one or two spaces between words, and adding spaces before line endings (or not). It was hard to spot, especially in proportional fonts, but you could only hide something like a dozen bytes per page of text. And Microsoft of course crippled the encoding in emails, because they simply reformat everything without asking or telling.

(1)