November 14, 2024

A persistent Golang-based malware campaign dubbed GO#WEBBFUSCATOR has leveraged the deep field image taken from NASA’s James Webb Space Telescope (JWST) as a lure to deploy malicious payloads on infected systems.

The development, revealed by Securonix, points to the growing adoption of Go among threat actors, given the programming language’s cross-platform support, effectively allowing the operators to leverage a common codebase to target different operating systems.

Go binaries also have the added benefit of rendering analysis and reverse engineering difficult as opposed to malware written in other languages like C++ or C#, not to mention prolong analysis and detection attempts.

Phishing emails containing a Microsoft Office attachment act as the entry point for the attack chain that, when opened, retrieves an obfuscated VBA macro, which, in turn, is auto-executed should the recipient enable macros.

The execution of the macro results in the download of an image file “OxB36F8GEEC634.jpg” that seemingly is an image of the First Deep Field captured by JWST but, when inspected using a text editor, is actually a Base64-encoded payload.

“The deobfuscated [macro] code executes [a command] which will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary (msdllupdate.exe) and then finally, execute it,” Securonix researchers D. Iuzvyk, T. Peck, and O. Kolesnikov said.

The binary, a Windows 64-bit executable with a size of 1.7MB, is not only equipped to fly under the radar of antimalware engines, but is also obscured by means of a technique called gobfuscation, which makes use of a Golang obfuscation tool publicly available on GitHub.

The gobfuscate library has been previously documented as used by the actors behind ChaChi, a remote access trojan employed by the operators of the PYSA (aka Mespinoza) ransomware as part of their toolset, and the Sliver command-and-control (C2) framework.

Communication with the C2 server is facilitated through encrypted DNS queries and responses, enabling the malware to run commands sent by the server through the Windows Command Prompt (cmd.exe). The C2 domains for the campaign are said to have been registered in late May 2022.

Microsoft’s decision to block macros by default across Office apps has led many an adversary to tweak their campaigns by switching to rogue LNK and ISO files for deploying malware. It remains to be seen if the GO#WEBBFUSCATOR actors will embrace a similar attack method.

“Using a legitimate image to build a Golang binary with Certutil is not very common,” the researchers said, adding, “it’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR detection methodologies in mind.”