Securonix Threat researchers uncovered a persistent Golang-based malware campaign tracked as GO#WEBBFUSCATOR that leveraged the deep field image taken from the James Webb telescope.
The phishing emails contain a Microsoft Office attachment that includes an external reference in its metadata which downloads a malicious template file.
Upon opening the document, a malicious template file is downloaded and saved on the system. The template file contains a VB script that will start the infection process.
Once the macro is executed, an image file “OxB36F8GEEC634.jpg” that appears as an image of the First Deep Field captured by JWST is downloaded. The experts discovered the image includes a Base64-encoded payload by inspecting the file with a text editor.
The binary encoded strings using ROT25 and is compiled using the Go programming language and obfuscated using Gobfuscation.
Once executed, the malware makes unique DNS connections, experts determined that the binary was leveraging a DNS data exfiltration technique by sending unique DNS queries to a target C2 DNS server.
