Security firm Securonix disclosed this week that it has uncovered a new campaign in which hackers use the Golang programming language and space footage captured by the Webb telescope to infect victims.
The attack started with a phishing email containing a Microsoft Word file, in one case named Geos-Rates.docx, whose file metadata contained an external reference that could be used to download a malicious template file. Therefore, the template file is downloaded and saved as soon as the user opens the file.
The template file contains a VB script, which is automatically executed once the user enables the macro, and connects to the hacker’s C&C server to download another JPG image file, which is the first image captured by the Webb telescope. Deep Space Photo (Webb’s First Deep Field).
Image source / Securonix
The James Webb Space Telescope is the most advanced space telescope in the world so far. It was officially opened at the end of last year. Its first deep-sky photo took the SMACS 0723 galaxy cluster, which was born 4.6 billion years ago. It is known as the deepest part of the early universe. Also the clearest infrared image.
However, researchers have found that this photo of the SMACS 0723 galaxy cluster hides a malicious program written in Golang and pretends to be a certificate, and until this week has not been detected by other anti-virus products. The purpose of this malware is to reside on the victim system so that it can be controlled by hackers through the C&C server.
In addition to exploiting Webb’s First Deep Field imagery, which has recently caught the attention of space junkies, malware written in Golang has increased by 2,000 percent between 2017 and 2020, according to a survey by security firm Intezer, Securonix says, compared to For C++ or C#, Golang is more difficult to analyze or reverse engineer, and Golang is more flexible across platforms. In addition, there have been many frameworks for producing Golang malware and executable files, such as ColdFire or OffensiveGolang. This makes Securonix once again remind the community to be vigilant against Golang malware.