Tuesday, September 13, 2022

GO#WEBBFUSCATOR

GO#WEBBFUSCATOR

How does it work?

Hacker send an EMAIL with MS Attachment. The Attachment has a XML in it. Once the attachment is opened - the XML connects to XMLSchemeFormat[.]com and downloads a malicious Macro.

The Macro runs a VB script and downloads an image of the outer space – the famous image from the James Webb Telescope.


This image contains a hidden Base64 file, which when decrypted turns into a 1.7MB windows executable file. Once executed it makes DNS connections and using DNS data exfiltration techniques steals data.

This is sophisticated multi-stage attack that includes email, web, native endpoint tools, steganography and DNS exfil.

Signature based technologies / non of the AV vendors, were able to detect and stop this as of Aug 31st 2022. The very basis of signature based methods cannot stop something like this and this has been a bane to the cyber security industry.

What we need is a technology that does not rely on signatures.

CDR - Content Disarm and Reconstruction (CDR) is one technology that does not rely on Signatures. CDR just extracts the content and writes it on to a new file - leaving behind the hidden malware.

Only networks using CDR are protected against such sophisticated attacks. 

CDR cleans the files of macros and as you can see below – the before and after of the file properties of the image– most of their properties are same except for the file size.

 

 Further reading:

https://www.forcepoint.com/blog/x-labs/combatting-james-webb-telescope-image-malware-attack

https://securityaffairs.co/wordpress/135090/malware/gowebbfuscator-james-webb-space-telescope.html

https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/