In July 2022, NASA he published the first images taken by the James Webb Telescope. Among them was one showing a galaxy cluster called SMACS 0723.
At the time, NASA called it the deepest infrared image of the universe, and the thousands of galaxies in the image were touted as the faintest objects ever seen in the infrared. region of the electromagnetic spectrum.
However, the same image seems to have been "weaponized" by hackers after they managed to add a malicious software inside it.
Researchers at security firm Securonix describe a malware campaign called GO#WEBBFUSCATOR, which uses the famous click to seed malware on the Webb telescope image. The biggest advantage comes from using it languageof Golang programming because it is inherently cross-platform, which means that the same malicious code can be deployed on different target platforms Linux, macOS and Windows.
It all starts with an email containing a malicious Office attachment titled (in Securonix's case, at least) Geos-Rates.docx. Document metadata can trigger a file download.
Once the document is opened, the auto-download scopt stores the malware, which then runs to perform its intended task. The code passed to the system then downloads a jpg image file that looks like the image taken by the Webb telescope.
However, the resolution of the image using with some editor text reveals that it is actually hiding a Base64 code that is also the payload, ready to execute and cause damage.
What really raises the threat level here is the fact that the malicious Base64 code gets past all protection systems without triggering any system-level alarm, Securonix reports. Once the payload is executed, it connects the target system to a remote server, leaving the computer at the mercy of hackers. Once a connection is established, encrypted data packets are sent to the hacker.
Securonix states:
“This practice can be used to create encrypted command and control channels, or to export sensitive data. In addition, the malware tricks the registry Windows Run key and it becomes permanent, which means that restarting will not remove the malicious code.
