AL2022_56 Threat actors leverage James Webb Telescope Image and Office Macros to infect systems with malware (1st September 2022)

Description 

A Golang-based malware campaign dubbed GO#WEBBFUSCATOR leverages the infamous James Webb telescope deep field image to deliver malware to targeted systems.  

Summary 

This malware campaign using the Go platform programming language which is seen gaining a rise in popularity amongst threat actors because of the programming language’s cross platform capabilities and the binaries that are much more difficult to analyze and reverse engineer. The cross-platform capability allows a single codebase to be compiled into all major operating systems, therefore a code written on Linux can also run on a Windows or Mac system. This allows threat actors to increase the range of targets that they can attack. The deep field image used in this malware campaign is a Based64-encoded payload in disguise used to carry out the infection. The malware is spread through phishing emails containing a malicious Microsoft Office attachment.  

How it works 

When the malicious Microsoft attachment is opened, it retrieves an obfuscated VBA macro that is auto executed if the infected machine has macros enabled. This VBA macro in turn downloads the image file ‘OxB36F8GEEC634.jpg’ which is seemingly the image of the deep field image. However, if this image is inspected in a text editor, it contains a malicious Based64-encoded payload.  

The Based64-encoded payload is decoded using a command-line program called certutil.exe, which produces a binary called msdllupdate.exe which is then executed. The binary msdllupdate.exe, which is a Windows 64-bit executable file of size 1.7MB is obscured using a technique called gobfiscation, a Golang obfuscation tool. This tool manipulates package names, global variable and function names, type names, method names, and strings by using ROT25 and XOR encryption.  

C2 communication is facilitated through unique encrypted DNS queries and responses where the encrypted messages are read in and unencrypted on the C2 server, allowing the threat actors to either establish an encrypted channel for command and control, or exfiltrate sensitive data. The C2 server can communicate to the malware by setting time intervals between connection requests, changing the nslookup timeout, or send commands to be executed using the Windows Command Prompt (cmd.exe).  

Indicators of Compromise  

For a list of IOCs for this malware campaign, please see the following URL: https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/ 

Remediation  

To circumvent this type of malware, users are advised to follow the steps below: 

  1. Avoid downloading unknown email attachments from non-trusted sources as these attachments are likely malicious in nature.  

  1. Disable Macros across all Office applications.  

  1. Securonix recommends blocking Office applications from creating child processes. More information on this can be found on Microsoft’s attack surface reduction reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide  

  1. Monitor your network for suspicious and persistent DNS queries and/or repeated nslookup requests.  

The Guyana National CIRT recommends that users and administrators review this alert and make changes where necessary.  

PDF Download: Threat_actors_leverage_James_Webb_Image_to_infect_systems.pdf

References