Have you been marveling at the images of the stars sent back by the James Webb Space Telescope? Have you been sent images via email and opened them? If so, you may have been infected by malware.
A malware campaign is underway as part of GO#WEBBFUSCATOR that uses the Go language to plant malware on unsuspecting users.
It uses infected emails with a VBA macro to infect users and has been around for a while. The newest variant has been spotted within images from the James Webb Space Telescope.
The malware campaign has been seen a few times in different guises. This latest version was discovered by researchers from Securonix.
"The deobfuscated [macro] code executes [a command] which will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary (msdllupdate.exe) and then finally, execute it," Securonix researchers said.
The binary, a Windows 64-bit executable with a size of 1.7MB is not only equipped to fly under the radar of antimalware engines, but is also hidden by means of a technique called gobfuscation, which makes use of a Golang obfuscation tool publicly available on GitHub. Microsoft has blocked macros in Office apps but this doesn’t seem to be stopping the attack.
It will be causing modifications using LNKL and ISO files, but the attacks being seen right now still use VBA macros. If you use Office 365 or keep your version of Office updated, it should protect you from the macro and refuse to run it.
If you’re using an older version of Office, you may still be susceptible to it.
These new Go malware variants are tough to spot and tougher to reverse engineer so we expect to see a lot more of them.
In the meantime, practice good email hygiene and delete what you don’t know and you should be fine!