A Golang-based persistent malware campaign dubbed GO#WEBBFUSCATOR has leveraged the deep-field image taken from NASA’s James Webb Space Telescope (JWST) as a lure to deploy malicious payloads on infected systems.
The development, revealed by securonixpoints to the growing adoption of Go among threat actors, given the programming language’s cross-platform compatibility, allowing operators to leverage a common code base to target different operating systems.
Go binaries also have the added benefit of being harder to analyze and reverse engineer compared to malware written in other languages like C++ or C#, not to mention lengthy analysis and detection attempts.
Phishing emails containing a Microsoft Office file attachment act as an entry point for the attack chain which, when opened, retrieves an obfuscated VBA macro which, in turn, runs automatically if macros are enabled by the recipient .
Running the macro results in downloading an image file “OxB36F8GEEC634.jpg” which appears to be an image of the first deep field captured by JWST but, when inspected with a text editor, is actually an encoded payload in Base64.
“The unobfuscated [macro] the code runs [a command] which will download a file called OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary (msdllupdate.exe), and then finally execute it,” said Securonix researchers D. Iuzvyk, T. Peck, and O. Kolesnikov.
The binary, a 1.7 MB 64-bit Windows executable, is not only equipped to fly under the radar of anti-malware engines, but is also obscured using a technique called gobfuscation, which makes use of a tool Golang obfuscation publicly. available on GitHub.
The gobfuscate library has previously been documented as being used by the actors behind ChaChi, a remote access Trojan employed by the operators of the PYSA (also known as Mespinoza) ransomware as part of their toolset, and command and control framework ( C2) from Sliver.
Communication with the C2 server is facilitated through encrypted DNS queries and responses, allowing the malware to execute commands sent by the server via the Windows Command Prompt (cmd.exe). The C2 domains for the campaign are said to have been registered in late May 2022.
Microsoft’s decision to block macros by default in Office applications has led many adversaries to modify their campaigns by switching to unauthorized LNK and ISO files to deploy malware. It remains to be seen if the GO#WEBBFUSCATOR actors will adopt a similar attack method.
“Using a legitimate image to build a Golang binary with Certutil is not very common,” the researchers said, adding that “it is clear that the original author of the binary designed the payload with some trivial anti-EDR and counterforensic detection methodologies.” “. in mind.”
