The deep field imagery obtained by NASA’s James Webb Space Telescope (JWST) has been used as a lure by a persistent Golang-based malware campaign known as GO#WEBBFUSCATOR to install malicious payloads on affected devices. Given Go’s cross-platform capability, which essentially enables operators to use the same codebase to target multiple operating systems, the development disclosed by Securonix speaks to the expanding usage of the programming language by threat actors.
In contrast to malware written in other languages like C++ or C#, Go binaries also have the added advantage of making reverse engineering far more complex and extending analysis and detection efforts. The attack chain starts with phishing emails that include a Microsoft Office attachment that, when opened, retrieves an obscured VBA macro that, should the recipient allow macros, automatically executes.
When the macro is run, a file named “OxB36F8GEEC634.jpg” that seems to be an image of the First Deep Field taken by JWST is a Base64-encoded payload when examined in a text editor. Securonix researchers T. Peck, D. Iuzvyk, and O. Kolesnikov said that “the deobfuscated [macro] code executes [a command] which will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary (msdllupdate.exe) and then finally, execute it.”
The binary, a 1.7MB Windows 64-bit executable, is not only designed to evade detection by antimalware engines but is also hidden via a process known as gobfuscation that uses a Golang obfuscation tool that is freely accessible on GitHub. The gobfuscate library has already been linked to the ChaChi actors, the Sliver command-and-control (C2) framework, and the remote access trojan used by the PYSA (aka Mespinoza) ransomware developers.
Encrypted DNS queries and responses facilitate the communication with the C2 server, letting the malware execute commands from the server via the Windows Command Prompt (cmd.exe). According to reports, the C2 domains for the campaign were registered in late May 2022. Due to Microsoft’s decision to disable macros by default across all Office products, several adversaries have modified their campaigns by using malicious LNK and ISO files instead of legitimate ones. Whether GO#WEBBFUSCATOR perpetrators will employ a similar assault strategy is unknown.
“Using a legitimate image to build a Golang binary with Certutil is not very common,” said the researchers, adding, “it’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR detection methodologies in mind.”