GO#WEBBFUSCATOR
How
does it work?
Hacker
send an EMAIL with MS Attachment.
The Attachment has a XML in it. Once the
attachment is opened - the XML connects to XMLSchemeFormat[.]com and downloads a malicious Macro.
The
Macro runs a VB script and downloads an image of the outer space – the famous
image from the James Webb Telescope.
This image contains a hidden Base64 file, which when decrypted turns into a 1.7MB windows executable file. Once executed it makes DNS connections and using DNS data exfiltration techniques steals data.
This is sophisticated multi-stage attack that includes email, web, native endpoint tools, steganography and DNS exfil.
Signature based technologies / non of the AV vendors, were able to detect and stop this as of Aug 31st 2022. The very basis of signature based methods cannot stop something like this and this has been a bane to the cyber security industry.
What we need is a technology that does not rely on signatures.
CDR - Content Disarm and Reconstruction (CDR) is one technology that does not rely on Signatures. CDR just extracts the content and writes it on to a new file - leaving behind the hidden malware.
Only networks using CDR are protected against such sophisticated attacks.
CDR cleans the files of macros and as you can see below – the before and after of the file properties of the image– most of their properties are same except for the file size.
Further reading:
https://www.forcepoint.com/blog/x-labs/combatting-james-webb-telescope-image-malware-attack
https://securityaffairs.co/wordpress/135090/malware/gowebbfuscator-james-webb-space-telescope.html
