Menace analysts have noticed a brand new malware marketing campaign dubbed ‘GO#WEBBFUSCATOR’ that depends on phishing emails, malicious paperwork, and house photos from the James Webb telescope to unfold malware.
The malware is written in Golang, a programming language that’s gaining reputation amongst cybercriminals as a result of it’s cross-platform (Home windows, Linux, Mac) and affords elevated resistance to reverse engineering and evaluation.
Within the latest marketing campaign found by researchers at Securonix, the risk actor drops payloads which are presently not marked as malicious by antivirus engines on the VirusTotal scanning platform.
An infection chain
The an infection begins with a phishing electronic mail with an connected malicious doc, “Geos-Charges.docx”, which downloads a template file.
That file incorporates an obfuscated VBS macro that auto-executes if macros are enabled within the Workplace suite. The code then downloads a JPG picture (“OxB36F8GEEC634.jpg”) from a distant useful resource (“xmlschemeformat[.]com”), decodes it into an executable (“msdllupdate.exe”) utilizing certutil.exe, and launches it.
In a picture viewer, the .JPG reveals the galaxy cluster SMACS 0723, printed by NASA in July 2022.
Nevertheless, if opened with a textual content editor, the picture reveals extra content material disguised as an included certificates, which is a Base64-encoded payload that turns into the malicious 64-bit executable.
The payload’s strings are additional obfuscated utilizing ROT25, whereas the binary makes use of XOR to cover the Golang assemblies from analysts. On high of that, the assemblies use case alteration to keep away from signature-based detection by safety instruments.
Malware capabilities
Based mostly on what might be deduced by way of dynamic malware evaluation, the executable achieves persistence by copying itself to ‘%%localappdata%%microsoftvault’ and including a brand new registry key.
Upon execution, the malware establishes a DNS connection to the command and management (C2) server and sends encrypted queries.
“The encrypted messages are learn in and unencrypted on the C2 server, thus revealing its unique contents,” explains Securonix within the report.
“Within the case with GO#WEBBFUSCATOR, communication with the C2 server is carried out utilizing `TXT-DNS` requests utilizing `nslookup` requests to the attacker-controlled title server. All info is encoded utilizing Base64.”
The C2 could reply to the malware by setting time intervals between connection requests, altering the nslookup timeout, or sending out instructions to execute by means of the Home windows cmd.exe software.
Throughout testing, Securonix noticed the risk actors operating arbitrary enumeration instructions on its take a look at techniques, an ordinary first reconnaissance step.
The researchers be aware that the domains used for the marketing campaign have been registered just lately, the oldest one on Might 29, 2022.
Securonix has supplied a set of indicators of compromise (IoCs) that features each community and host-based indicators.
