2022-09-06

Office Macros and James Webb Telescope Images Used in Infection Chain

Level: 
Tactical
  |  Source: 
Share:

Office Macros and James Webb Telescope Images Used in Infection Chain

Industry: N/A | Level: Tactical | Source: Securonix

Researchers from Securonix have discovered a colorful new attack campaign involving phishing, malicious documents, and space images from NASA's James Webb telescope with intent to distribute Golang written malware. Threat actors have been favoring Go-written malware due to its versatility crossing platforms in Windows and *NIX operating systems as well as being more difficult to reverse engineer. The documented infection chain begins with the execution of the malicious document, downloading a template file, and executing a VBS macro. The macro downloads the James Webb telescope image as a JPG file, as analyzed by Securonix "The image contains malicious Base64 code disguised as an included certificate. At the time of publication, this particular file is undetected by all antivirus vendors according to VirusTotal." The file is decoded into an executable file using certutil.exe. The malware will proceed to create and execute a batch file, create persistence by adding itself to the registry and initiate a DNS connection for its command and control (C2). This campaign by the threat actors appears to be ongoing, as new domains were registered recently with the oldest dating back to May 29th, 2022.

Anvilogic Scenario:

  • Golang Malware Infection with JPG File

Anvilogic Use Cases:

  • Invoke-WebRequest Command
  • Certutil De-Obfuscate/Decode Files
  • Executable Create Script Process

Get trending threats published weekly by the Anvilogic team.

Sign Up Now