BleepingComputer reports that phishing emails and malware-laced space images from the James Webb telescope are being leveraged in the new 'GO#WEBBFUSCATOR' malware campaign involving Golang-based payloads.
Attackers commence the infection with a phishing email with the malicious "Geos-Rates.docx" file that features an automatically executing obfuscated VBS macro that decodes a downloaded JPG image to a launchable executable, reported Securonix researchers.
The report showed that opening the file in an image viewer displayed NASA's photo of the galaxy cluster SMACS 0723 but the same file opened in a text viewer displayed a Base64-encoded payload that could be converted into a malicious 64-bit executable. Researchers noted that the execution of the malware prompts the creation of a DNS connection to the command-and-control server for the delivery of encrypted queries.
"In the case with GO#WEBBFUSCATOR, communication with the C2 server is implemented using `TXT-DNS` requests using `nslookup` requests to the attacker-controlled name server. All information is encoded using Base64," said Securonix.