A persistent Golang-based malware marketing campaign dubbed GO#WEBBFUSCATOR has leveraged the deep subject picture taken from NASA’s James Webb House Telescope (JWST) as a lure to deploy malicious payloads on contaminated methods.
The event, revealed by Securonix, factors to the rising adoption of Go amongst risk actors, given the programming language’s cross-platform assist, successfully permitting the operators to leverage a typical codebase to focus on completely different working methods.
Go binaries even have the additional advantage of rendering evaluation and reverse engineering tough versus malware written in different languages like C++ or C#, to not point out extend evaluation and detection makes an attempt.
Phishing emails containing a Microsoft Workplace attachment act because the entry level for the assault chain that, when opened, retrieves an obfuscated VBA macro, which, in flip, is auto-executed ought to the recipient allow macros.
The execution of the macro ends in the obtain of a picture file “OxB36F8GEEC634.jpg” that seemingly is a picture of the First Deep Subject captured by JWST however, when inspected utilizing a textual content editor, is definitely a Base64-encoded payload.
“The deobfuscated [macro] code executes [a command] which can obtain a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it right into a binary (msdllupdate.exe) after which lastly, execute it,” Securonix researchers D. Iuzvyk, T. Peck, and O. Kolesnikov stated.
The binary, a Home windows 64-bit executable with a dimension of 1.7MB, shouldn’t be solely outfitted to fly beneath the radar of antimalware engines, however can also be obscured by the use of a method referred to as gobfuscation, which makes use of a Golang obfuscation instrument publicly obtainable on GitHub.
The gobfuscate library has been beforehand documented as utilized by the actors behind ChaChi, a distant entry trojan employed by the operators of the PYSA (aka Mespinoza) ransomware as a part of their toolset, and the Sliver command-and-control (C2) framework.
Communication with the C2 server is facilitated by encrypted DNS queries and responses, enabling the malware to run instructions despatched by the server by the Home windows Command Immediate (cmd.exe). The C2 domains for the marketing campaign are stated to have been registered in late Might 2022.
Microsoft’s resolution to block macros by default throughout Workplace apps has led many an adversary to tweak their campaigns by switching to rogue LNK and ISO information for deploying malware. It stays to be seen if the GO#WEBBFUSCATOR actors will embrace the same assault methodology.
“Utilizing a reputable picture to construct a Golang binary with Certutil shouldn’t be quite common,” the researchers stated, including, “it is clear that the unique writer of the binary designed the payload with each some trivial counter-forensics and anti-EDR detection methodologies in thoughts.”
