A persistent Golang-based malware marketing campaign dubbed GO#WEBBFUSCATOR has leveraged the deep subject picture taken from NASA’s James Webb House Telescope (JWST) as a lure to deploy malicious payloads on contaminated techniques.
The event, revealed by Securonix, factors to the rising adoption of Go amongst risk actors, given the programming language’s cross-platform help, successfully permitting the operators to leverage a typical codebase to focus on totally different working techniques.
Go binaries even have the additional benefit of rendering evaluation and reverse engineering troublesome versus malware written in different languages like C++ or C#, to not point out lengthen evaluation and detection makes an attempt.
Phishing emails containing a Microsoft Workplace attachment act because the entry level for the assault chain that, when opened, retrieves an obfuscated VBA macro, which, in flip, is auto-executed ought to the recipient allow macros.
The execution of the macro ends in the obtain of a picture file “OxB36F8GEEC634.jpg” that seemingly is a picture of the First Deep Area captured by JWST however, when inspected utilizing a textual content editor, is definitely a Base64-encoded payload.
“The deobfuscated [macro] code executes [a command] which can obtain a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it right into a binary (msdllupdate.exe) after which lastly, execute it,” Securonix researchers D. Iuzvyk, T. Peck, and O. Kolesnikov mentioned.
The binary, a Home windows 64-bit executable with a dimension of 1.7MB, will not be solely geared up to fly beneath the radar of antimalware engines, however can also be obscured via a method known as gobfuscation, which makes use of a Golang obfuscation software publicly out there on GitHub.
The gobfuscate library has been beforehand documented as utilized by the actors behind ChaChi, a distant entry trojan employed by the operators of the PYSA (aka Mespinoza) ransomware as a part of their toolset, and the Sliver command-and-control (C2) framework.
Communication with the C2 server is facilitated via encrypted DNS queries and responses, enabling the malware to run instructions despatched by the server via the Home windows Command Immediate (cmd.exe). The C2 domains for the marketing campaign are mentioned to have been registered in late Might 2022.
Microsoft’s choice to block macros by default throughout Workplace apps has led many an adversary to tweak their campaigns by switching to rogue LNK and ISO information for deploying malware. It stays to be seen if the GO#WEBBFUSCATOR actors will embrace an identical assault methodology.
“Utilizing a respectable picture to construct a Golang binary with Certutil will not be quite common,” the researchers mentioned, including, “it is clear that the unique writer of the binary designed the payload with each some trivial counter-forensics and anti-EDR detection methodologies in thoughts.”