Security firm Securonix disclosed this weekthey discovered a new campaign in which hackers use the Golang programming language and space footage captured by the Webb telescope to infect victims.
The attack started with a phishing email containing a Microsoft Word file, in one case named Geos-Rates.docx, whose file metadata contained an external reference that might be used to download a malicious template file. Therefore, the template file is downloaded and saved as soon as the user opens the file.
The template file contains a VB script, which is automatically executed once the user enables the macro, and connects to the hacker’s C&C server to download another JPG image file, which is the first image captured by the Webb telescope. Deep Space Photo (Webb’s First Deep Field).
Image source / Securonix
The James Webb Space Telescope is by far the most advanced space telescope in the world. It was officially opened at the end of last year.first deep space photoThe SMACS 0723 galaxy cluster, which was born 4.6 billion years ago, is known as the deepest and clearest infrared image of the early universe.
However, researchers have found that this photo of the SMACS 0723 galaxy cluster hides a malicious program written in Golang and pretends to be a certificate, and until this week has not been detected by other anti-virus products. The purpose of this malware is to reside on the victim system so that it can be controlled by hackers through the C&C server.
In addition to leveraging Webb’s First Deep Field imagery that has recently caught the attention of space junkies,According to a survey by information security firm IntezerMalware written in Golang has increased by 2,000% from 2017 to 2020, Securonix said that compared to C++ or C#, Golang is more difficult to analyze or reverse engineer, and Golang is more cross-platform resilient, In addition, there have been many frameworks used to produce Golang malware and executable files, such as ColdFire or OffensiveGolang, which makes Securonix remind everyone to be vigilant once morest Golang malware.
