Researchers at Securonix have spotted a new malware campaign dubbed ‘GO#WEBBFUSCATOR’ that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware.

The malware is written in Golang, a programming language that is gaining popularity among cybercriminals because it is cross-platform (Windows, Linux, Mac) and offers increased resistance to reverse engineering and analysis.

The infection starts with a phishing email with an attached malicious document, “Geos-Rates.docx”, which downloads a template file.

That file contains an obfuscated VBS macro that auto-executes if macros are enabled in the Office suite. The code then downloads a JPG image (“OxB36F8GEEC634.jpg”) from a remote resource (“xmlschemeformat[.]com”), decodes it into an executable (“msdllupdate.exe”) using certutil.exe, and launches it.

Obfuscated VBS macro (left) and decoded command to download the JPG file (right) (Securonix)

In an image viewer, the .JPG shows the galaxy cluster SMACS 0723, published by NASA in July 2022.

However, if opened with a text editor, the image reveals additional content disguised as an included certificate, which is a Base64-encoded payload that turns into the malicious 64-bit executable.

Same file is on the image viewer (left) and on the text editor (right) (Securonix).

The payload’s strings are further obfuscated using ROT25, while the binary uses XOR to hide the Golang assemblies from analysts. On top of that, the assemblies use case alteration to avoid signature-based detection by security tools.

Based on what could be deduced via dynamic malware analysis, the executable achieves persistence by copying itself to ‘%%localappdata%%\microsoft\vault\’ and adding a new registry key.

Buy Me a Coffee

Upon execution, the malware establishes a DNS connection to the command and control (C2) server and sends encrypted queries.

READ
Russian National Extradited to U.S. on Charges of Running Phobos Ransomware Operation

“The encrypted messages are read in and unencrypted on the C2 server, thus revealing its original contents,” explains Securonix in the report.

“In the case with GO#WEBBFUSCATOR, communication with the C2 server is implemented using `TXT-DNS` requests using `nslookup` requests to the attacker-controlled name server. All information is encoded using Base64.”

The C2 may respond to the malware by setting time intervals between connection requests, changing the nslookup timeout, or sending out commands to execute through the Windows cmd.exe tool.

During testing, Securonix observed the threat actors running arbitrary enumeration commands on its test systems, a standard first reconnaissance step.

The researchers note that the domains used for the campaign were registered recently, the oldest one on May 29, 2022.

Securonix has provided a set of indicators of compromise (IoCs) that includes both network and host-based indicators.

(Via Bleepingcomputer)