Security Insights: Malware in Webb Telescope Images

Attackers spread malware hidden in images from the Webb Telescope

Securonix researchers recently uncovered a new malware attack campaign that uses an image taken by the James Webb Space Telescope (JWST) to spread malicious code. The campaign is aptly named GO#WEBBFUSCATOR, as the payload that the image carries is written in the cross-platform GoLang programming language. Attackers use phishing emails to lure their victims to the latest images taken by NASA’s JWST. The fraudulent message contains a Microsoft Office attachment that, when opened, loads an obfuscated VBA macro, which, if the recipient of the macro allows, will then run automatically.

The result is a download of an image that at first glance looks like the mentioned image of deep space captured by JWST, but is actually a Base64-encoded payload. The macro then uses certutil.exe to decode the downloaded file into a 1.7MB executable format and then executes it. The obfuscation is done by a technique called gobfuscation, which uses an obfuscation tool publicly available on GitHub.

In a dynamic analysis, the researchers found that the malware ensures persistence after launch and communicates with the C2 server. Securonix has provided a set of Indicators of Compromise (IoC) on its site, which includes both network and host indicators as well as detection YARA rules.

OpenBeta email service from DuckDuckGo

DuckDuckGo, best known for its web search engine, has launched Email Protection, a privacy-focused email service for the general public. After a year of testing by selected users, the service enters open beta mode and is available for free.

The solution is based on forwarding e-mails to recipients’ mailboxes through an intermediary in the form of disposable addresses that the user can create. Emails sent to these addresses are stripped of advertising and profiling trackers before they reach the user’s regular inbox. One-time addresses can be deactivated individually, but the solution also includes a personal address that is used to access the account. Thus, it is not necessary to migrate the e-mail box to a new provider.

In addition to the above, the service also modifies the links in the email and automatically redirects users who click on them to the HTTPS version of the destination website. It also allows you to directly send and reply from disposable addresses and manage them using a clear dashboard. The service can be used using an extension to the web browser and on mobile devices via the latest version of the application.

New phishing campaign on Instagram

Security analysts at Vade have spotted a new scam campaign on Instagram that is trying to trick users into verifying their account in the form of a blue badge. Blue badges next to a username indicate a well-known personality, celebrity or brand verified by the platform. Users are invited in an email or message to fill out a form within the next 48 hours to request their verification badge. It thus creates a sense of urgency and a time limit for taking advantage of the opportunity typical of phishing.

The fraudulent form has three parts and gradually elicits an e-mail, phone number and password from the potential victim. The attackers try to highlight the legitimacy of the whole process by using the presence of the Instagram logo and the domain name – teamcorrectionbadges, which is intended to give the impression that Instagram uses websites other than its own to verify users.

Ransomware attack on the infrastructure of Montenegro

About a week ago, the government of Montenegro announced that its country is exposed to sophisticated and persistent cyber attacks that threaten the country’s basic infrastructure. She listed mainly electricity and water supply systems, transport services and others as targets. The country’s defense minister attributed the attacks, based on available evidence, to Russian actors.

But this week, the Cuba ransomware group claimed responsibility for the incident and is demanding a $10 million ransom from the Montenegrin government. The stolen data appears to include various financial and tax documents, communications with banks and source codes.

NÚKIB has launched a website for the upcoming NIS2 directive

Last week, the National Office for Cyber ​​and Information Security launched a website to help organizations navigate the requirements of the upcoming revision of the EU directive on the security of network and information systems – NIS2. NÚKIB stated that the website can be useful not only to organizations that are already covered by the Cyber ​​Security Act, but above all to a large number of organizations that will fall under its purview after its amendment in connection with the revised directive.

The website provides clear and comprehensive information about the NIS2 Directive (and its requirements) and summarizes who will be covered by the Directive. In addition, it also outlines basic procedures for how organizations can secure their services, what incidents must be reported to NÚKIB and what sanctions will be possible for failure to meet the aforementioned requirements.

In a nutshell

For fun

About the series

This series is published alternately with the help of the National Security Team CSIRT.CZ operated by the CZ.NIC association and the CESNET-CERTS security team of the CESNET association, the ALEF-CSIRT security team and security expert Jan Kopřiva. More about the series…

The article is in Czech

Tags: Security Insights Malware Webb Telescope Images

NEXT He started a business when he was young, now he has money and makes millions