James Webb Space Telescope Snap might actually contain Malware


Thread author
Staff Member
Malware Hunter
Jul 27, 2015
Scumbags are using a photo from the James Webb Space Telescope to smuggle Windows malware onto victims' computers – albeit in a roundabout way.

The malicious code, written in Go, is hidden in a .jpeg of the stunning first proper image taken by the recently deployed spacecraft. More specifically, the obfuscated code is Base64-encoded and included in the .jpeg disguised as a certificate. The payload, dubbed GO#WEBBFUSCATOR, was not detected as malicious by antivirus engines in VirusTotal. This is all according to researchers at cybersecurity firm Securonix, who said they spotted and inspected the .jpeg's contents.

The malware "incorporates an equally interesting strategy by leveraging the infamous deep field image taken from the James Webb telescope and obfuscated Golang programming language payloads to infect the target system," Securonix's D. Iuzvyk, T. Peck, and O. Kolesnikov wrote in a report this week.
The infection starts with a phishing email that contains a Microsoft Office attachment named Geos-Rates[.]docx that, when opened, downloads a malicious template file that contains an obfuscated VBA macro that automatically executes – if the macro is allowed to run. Microsoft last month blocked internet-source macros by default in Office to improve security, which has pushed threat groups to find alternative methods for launching attacks, such as using Windows LNK files.

If the script runs, it downloads the image file OxB36F8GEEC634[.]jpg that appears to be the Webb telescope photo .jpeg. Once fetched, the code uses certutil.exe to decode it into a binary and execute it. The binary is a Windows 64-bit executable that is about 1.7MB in size and uses a number of obfuscation techniques to hide from security services and hamper analysis. Strings within the code were obfuscated using ROT25 and the binary is all messed up as a result of Gobfuscation, a Go-based tool that is available on GitHub. See the above write-up for the full details on what to look for, if you're concerned this may have landed on your network. The executed malware "was observed making unique DNS connections," the researchers wrote. "By looking at the URL strings we can determine that the binary file was leveraging a DNS data exfiltration technique by sending unique DNS queries to a target C2 DNS server." That is to say, it was using DNS queries to leak data from the system.

ForgottenSeer 69673

" Once fetched, the code uses certutil.exe to decode it into a binary and execute it."

How is this working on Mac and Linux?

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.