Hackers hide malware in James Webb telescope images: Threat analysts have discovered a new malware campaign dubbed “GO#WEBBFUSCATOR” targeting phishing emails, malicious documents and space images from the James Webb telescope supports to spread malware.
The infection begins with a phishing email with an attached malicious document, 'Geos-Rates.docx', that downloads a template file. This file contains an obfuscated VBS macro that runs automatically if macros are enabled in the Office suite. The code then downloads a JPG image ('OxB36F8GEEC634.jpg') from a remote resource ('xmlschemeformat[.]com'), decodes it into an executable file ('msdllupdate.exe') using certutil.exe and starts it.
Tempting images load malware
In an image viewer, the .JPG shows the galaxy cluster SMACS 0723 released by NASA in July 2022. However, when the image is opened with a text editor, it reveals additional content disguised as an included certificate, which is a Base64 encoded payload that turns into the malicious 64-bit executable.
"In essence, it's not surprising that threat actors have found a way to install malware using images from the James Webb telescope. It shows once again that cyber criminals misuse any interesting or viral content for their purposes. Always aiming to distribute their malware to unprepared and careless people. like dr Sebastian Schmerl is Director Security Services EMEA at Arctic Wolf.
Phishing exploits fascination
🔎 Many want to see it: James Web Telescope images are infected with malware (Image: NASA, ESA, CSA, and STScI).
As with all cyber incidents, threat actors can still be expected to leverage breaking news or phishing attempts disguised as interesting stories to deliver their malware. The impressive images of the James Webb telescope are the perfect vehicle to lure the unwary into the trap.
Incidents like this once again illustrate why it is more important than ever for companies to review and strengthen their security measures. With the right technology and well-trained security professionals monitoring malicious activity XNUMX/XNUMX, risks can be mitigated and weak and vulnerable parts of the digital infrastructure can be identified.”
More at ArcticWolf.com
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.