NASA’s deep space image is now a malware carrier
The picture, published on July 11, showed thousands of galaxies in a patch of sky approximately the size of a grain of sand and quickly became the talk of the world
Mumbai NASA unveiled the deepest infrared photo of the universe to date, captured through their legendary James Webb Space Telescope in July this year. Little did they know that, in less than two months, the same photo would be used as a carrier to smuggle new malware into devices of unsuspecting people.
The picture, published on July 11, showed thousands of galaxies in a patch of sky approximately the size of a grain of sand and quickly became the talk of the world.
Recently, cybersecurity research firm Securonix uncovered a new phishing campaign, where the picture was being used to slip a previously unknown malware into the target devices. More worryingly, this virus seems to evade all currently known forms of defence against threats.
According to Securonix, the engineers of the malware are sending out phishing emails with MS Office attachments with the image, which still evokes a lot of curiosity among people. Securonix researchers analysed the same image file using text editor software and found the hidden code.
“The new malware uses Golang language. According to researchers at Securonix, the attacker drops payloads that are not currently flagged as malicious by antivirus engines on VirusTotal,” Harshil Doshi, country manager (India), Securonix told Hindustan Times.
VirusTotal is a search engine that employs services of all available antivirus software to check for viruses or malware in a particular file or web page. A ‘payload’ is the technical term for the malicious code that a file drops into the target device.
In simple words, the payload not showing up on VirusTotal means that the malware can pass completely under the radar of currently available antivirus software. This is in part attributed to the fact that it is written in the Go language, also known as Golang, a code that makes it more challenging to detect and reverse-engineer malware.
While not much is known about the malware, dubbed GO#WEBFUSCATOR, researchers have observed information-stealing capabilities in its code and in the way it communicates with its Command and Control (C2) server. A C2 server controls all the actions of the malware and receives the data extracted by it.
“Overall, the tactics, techniques and procedures observed with GO#WEBBFUSCATOR during the entire attack chain are quite interesting. Using a legitimate image to build a Golang code is not very common in our experience or typical and something we are tracking closely. It’s clear that the original author of the code designed the malware with both some trivial counter-forensics and anti-threat detection methodologies in mind,” Securonix’s preliminary research report stated.