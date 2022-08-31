Researchers have discovered that hackers are using an image taken by the James Webb telescope, the newest space observatory, to spread malware (a type of program created to harm a computer or network). The information was released this week in a security advisory issued by technology company Securonix Threat.

The image used to hide the malicious system was released in July this year and refers to the cluster of galaxies known as SMACS 0723. According to the company, the cyber threat is based on Golang, a programming language that is gaining popularity among hackers because it is multiplataform (i.e. it is compatible with Windows, Linux, Mac).

Golang offers even greater resistance to reverse engineering and analysis — strategies that could be used to identify how the attack happens and increase equipment protection. In its report, Securonix said that it is already tracking the attacks and that they have been identified as GO#WEBBFUSCATOR.

How malware works

The attack starts with a phishing (virtual bait) email with a malicious Microsoft Office compatible document attached. In the case discovered, it was called “Geos-Rates.docx”.

This file contains a hidden VBS (Visual Basic Application) system macro — basically, a sequence of commands. However, it starts to run automatically if macros are enabled in the Office suite.

The code then downloads a JPG image (named “OxB36F8GEEC634.jpg”), decodes it into an executable system, and launches it — without the victim knowing what is happening.

In an image viewer program, the JPG file shows the galaxy cluster SMACS 0723. Now, if this file is opened in a text editor, the image reveals additional disguised content, which turns into a virus.

According to malware analysis, after execution, the malware establishes a DNS connection (a protocol that relates the “nominal” address of a website or application to its real address — IP number — in internet databases). In this process, command and control connections are made.

“The messages [do sistema afetado] encrypted files are read and decrypted on the server, thus revealing their original content,” explains Securonix in the report. “This practice can be used to establish an encrypted channel for command and control or to extract sensitive data.”

The survey shows that the threat is currently not identified as risky content by antivirus engines.

*With information from Bleeping Computer and Forbes