Ever since the James Webb Space Telescope (JWST), the space telescope designed primarily to conduct infrared astronomy, was put into space, the world is expecting to see more and clearer photos of stars and galaxies.
JWST as the largest optical telescope in space, is able to create that expectation because it greatly improved infrared resolution and sensitivity. This allows it to view objects too early, distant, or faint for the Hubble Space Telescope.
This is why the world is eager to see more of what the JWST can provide.
Knowing this, a scientist had pranked the whole world by posting a picture of a sausage slice. And this time, hackers who know this too, is embedding malware to image provided by JWST.
Security analytics firm Securonix reported that hackers have nefariously hidden malware code in a copy of an image from the super telescope, as part of their broader hacking campaign dubbed the ‘GO#WEBBFUSCATOR’ .
The infection starts with a phishing email with an attached malicious document.
That file contains an obfuscated macro that auto-executes if macros are enabled in Microsoft Office suite. The code then downloads an image file from its source, which will then decodes into an executable file.
After all is done, the file is executed.
Upon execution, the malware establishes a DNS connection to the command and control (C2) server and sends encrypted queries.
"The encrypted messages are read in and unencrypted on the C2 server, thus revealing its original contents," explained Securonix in the report.
The researchers noted that the oldest domains used for the campaign were registered in May 29, 2022.
The campaign is written in Go (Golang), and the researchers argue that the rise in Go-based malware attacks could be due to how difficult it is to reverse engineer the language, and/or how flexible the language can be at operating across different platforms like Windows, Mac, and Linux.
In other words, this campaign is a super complex, multi-stage malware attack meant to infiltrate people's computers.
The malware is also persistent, because it will try to maintain its presence by implanting a binary program “into the Windows registry Run key.”
The Webb Space Telescope offers views of the universe like never before.
Hackers know this, and also know that people are wanting to see more photos taken from this spectacular telescope.
The image file itself is not faked.
As a matter of fact, the image, which is a photo of the iconic region of space called SMACS 0723, was indeed taken by JWST. However, when inspected with a text editor, it's found that the hackers have embedded it a malicious Base64 code camouflaged as an included certificate.
"At the time of publication, this particular file is undetected by all antivirus vendors according to VirusTotal," the advisory reads.
"To the best of our knowledge, this campaign has been targeting a range of victims in different countries," said Oleg Kolesnikov, Securonix’s vice president of Threat Research. "There have been multiple layers of obfuscation/[antivirus] evasion and a number of different payloads involved in the attack. We do not know yet what the end-goal objective of the attack is."