One of the first images taken by the James Webb Telescope that was released by NASA was the “sharpest infrared image of the distant universe to date.” It’s a wondrous photo showing a detailed cluster of galaxies. It’s also currently being used by bad actors to infect systems with malware. Security analytics platform Securonix has identified a new malware campaign that uses the image, and the company is calling it the GO#WEBBFUSCATOR.
The attack starts with a phishing email containing a Microsoft Office attachment. Hidden within the document’s metadata is a URL that downloads a file with a script, which runs if certain Word macros are enabled. That, in turn, downloads a copy of Webb’s First Deep Field photo (pictured above) that contains as a malicious code masquerading as a certificate. In its report about the campaign, the company said all anti-virus programs were unable to detect the malicious code in the image.
Securonix VP Augusto Barros told Popular Science that there are a couple of possible reasons why the bad actors chose to use the popular James Webb photo. One is that the high-resolution images NASA had released come in massive file sizes and can evade suspicion in that regard. Also, even if an anti-malware program flags it, reviewers might pass it over since it’s been widely shared online in the past couple of months.
Another interesting thing of note about the campaign is that it uses Golang, Google’s open-source programming language, for its malware. Securonix says Golang-based malware are rising in popularity, because they have flexible cross-platform support and are more difficult to analyze and reverse engineer than malware based on other programming languages. Like other malware campaign that starts with a phishing email, though, the best way to avoid being a victim of this attack is to avoid downloading attachments from untrusted sources.