Image by James Webb contains malware

In July 2022, NASA he published the first images taken by the James Webb Telescope. Among them was one showing a galaxy cluster called SMACS 0723.

At the time, NASA called it the deepest infrared image of the universe, and the thousands of galaxies in the image were touted as the faintest objects ever observed in the infrared region of the electromagnetic spectrum.

However, the same image seems to have been "weaponized" by hackers after they managed to add a malicious software inside it.

james webb space

Researchers at security firm Securonix describe a malware campaign called GO#WEBBFUSCATOR, which uses the famous click to seed malware on the Webb telescope image. The biggest advantage comes from using the Golang programming language because it is inherently cross-platform, meaning that the same malicious code can be deployed on different target platforms, Linux, macOS, and Windows.

It all starts with an email containing a malicious Office attachment titled (in Securonix's case, at least) Geos-Rates.docx. Document metadata can trigger a file download.

Once the document is opened, the auto-download scopt stores the malware, which then runs to perform its intended task. The code passed to the system then downloads a jpg image file that looks like the image taken by the Webb telescope.

However, analyzing the image using a text editor reveals that it actually hides a Base64 code that is also the payload, ready to execute and cause damage.

What really raises the threat level here is the fact that the malicious Base64 code gets past all protection systems without triggering any system-level alarm, Securonix reports. Once the payload is executed, it connects the target system to a remote server, leaving the computer at the mercy of hackers. Once a connection is established, encrypted data packets are sent to the hacker.

Securonix states:

“This practice can be used to create encrypted command and control channels, or to extract sensitive data. In addition, the malware tricks the Windows registry's Run key into becoming persistent, meaning that a reboot will not remove the malicious code.

More technical details

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.096 registrants.
James Webb,James Webb Space Telescope,iguru,malware

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).