This is why we can’t have nice things: Security analytics firm Securonix has revealed that hackers have nefariously hidden malware code in a copy of an image from the Webb Space Telescope as part of a broader hacking campaign.
The Webb Space Telescope is offering views of our universe like never before, but hackers are attempting to use images from the telescope for more sinister purposes. Securonix recently published a blog that blows the lid off of a hack involving a phishing email, a phony Microsoft Office attachment, and SMACS 0723, the first full-colour image from the Webb Space Telescope that was unveiled earlier this summer. The attack campaign, titled GO#WEBBFUSCATOR, is a super complex, multi-stage malware attack meant to infiltrate your computer.
The campaign is written in Go — also referred to as Golang — and Securonix argues that a rise in Go-based malware attacks could be due to how difficult it is to reverse engineer the language and/or how flexible the language can be at operating across different platforms like Windows, Mac, and Linux.
“To the best of our knowledge, this campaign has been targeting a range of victims in different countries,” said Oleg Kolesnikov. Kolesnikov is Securonix’s vice president of Threat Research. “There have been multiple layers of obfuscation/[antivirus] evasion and a number of different payloads involved in the attack. We do not know yet what the end-goal objective of the attack is.”
The attack is a multi-stage campaign that begins with a phishing email containing an unsuspecting attachment modelled to look like it’s come from Microsoft Office. When downloaded, a malicious file will begin downloading. If the user has the right macros installed, the file will then execute the download of an image file, which appears as the SMACS 0723 image from the Webb Space Telescope but contains a Base64 code. Securonix then found that the malware would execute encrypted DNS queries to connect with C2 servers and run arbitrary enumeration commands, which Bleeping Computer says is a standard first reconnaissance step for hackers to poke and prod at a targeted computer.
The good news is that the original SMACS 0723 image appears to be safe and is still gorgeous to look at — just be wary of any strange Microsoft Office attachments sent to your email.