In July 2022, NASA he published the first images taken from the telescope James Webb. Among them was one showing a galaxy cluster called SMACS 0723.
At the time, NASA called it the deepest infrared image of the universe, and the thousands of galaxies in the image were touted as the faintest objects ever observed in the infrared region of the electromagnetic spectrum.
However, the same image seems to have been "weaponized" by hackers after they managed to add one to it malicious software.
Her researchers companyς ασφαλείας Securonix περιγράφουν μια εκστρατεία κακόβουλου λογισμικού που ονομάζεται GO#WEBBFUSCATOR, και χρησιμοποιεί το περίφημο click to seed malware στην εικόνα του Webb telescope. Το μεγαλύτερο πλεονέκτημα προκύπτει από τη χρήση της γλώσσας προγραμματισμού Golang γιατί είναι εγγενώς συμβατή με πολλαπλές πλατφόρμες, πράγμα που σημαίνει ότι ο ίδιος κακόβουλος κώδικας μπορεί να αναπτυχθεί σε διαφορετικές πλατφόρμες-στόχους Linux, macOS και Windows.
It all starts with an email containing a malicious attachment Office titled (in the case of Securonix, at least) Geos-Rates.docx. Document metadata can trigger a file download.
Once the document is opened, the auto-download scopt stores the malware, which then runs to perform its intended task. The code passed to the system then downloads a jpg image file that looks like the image taken by the Webb telescope.
However, analyzing the image using a text editor reveals that it actually hides a Base64 code that is also the payload, ready to execute and cause damage.
What really raises the threat level here is the fact that the malicious Base64 code gets past all protection systems without triggering any system-level alarm, Securonix reports. Once the payload is executed, it connects the target system to a remote server, leaving the computer at the mercy of hackers. Once a connection is established, encrypted data packets are sent to the hacker.
Securonix states:
“This practice can be used to create encrypted command channels and control, or to extract sensitive data. In addition, the malware tricks the Windows registry's Run key into becoming persistent, meaning that a reboot will not remove the malicious code.
