A new malware campaign dubbed ‘GO#WEBBFUSCATOR’ and written in Golang has been revealed. This latest threat relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware.
There is also a concern with speed of take-up. Becoming more popular, Golang is cross-platform and offers increased resistance to reverse engineering and analysis.
Paolo Passeri, Principal Engineer at Netskope, provides insight to Digital Journal about the threat posed by this this new malware campaign.
Passeri begins by explaining what makes this latest form of attack such a concern: “This campaign uses an established modus operandi of opportunistic criminals, which is to leverage events with a large societal impact for malicious purposes. However, here, we witnessed some interesting variations.”
He then looks at the big interest in astronomy that has been buzzing around the world and how the criminal entities have used this to promote their malicious programme. He notes: “Cybercriminals took an unprecedented look at the remote corners of the universe allowed by the James Webb telescope, which provides an ideal starting point for attackers to launch new campaigns.”
Here, digital meets digital. Passeri says: “The very nature of the information exchanged (images) has further facilitated their attempts by allowing the use of one of the most common evasion techniques, steganography, which tends to hide malicious content within images. A technique commonly used to evade both the security checks of traffic protection solutions, and the security checks of the user who, under normal conditions, would not expect to be infected with a seemingly harmless artifact such as an image.”
There is more to the sophistication of the campaign, according to Passeri: “A further interesting element of this campaign consists in the use of malware written in Golang, an increasingly popular language among attackers both for its transversal nature at the platform level, and for its resistance at the reverse engineering level, a characteristic that makes it difficult for security analysts to investigate.”
This loops Passeri back to his main theme of how criminals seek to trick the general public: “This campaign once again proposes the risk inherent in the concept of digital trust and its implications in the field of security. The growth of remote work has changed the concept of user trust. Users now place more reliance on digital interactions than on human ones, which lowers the level of guard against any content coming from the Internet (search engines or legitimate cloud applications) and are no longer used to thoroughly check the origin of information.”
Concluding his review of this potent threat, Passeri states: “In fact, it is no coincidence that SEO poisoning techniques (i.e. the use of Search Engine Optimization algorithms to place malicious links on top of the results of search engines) are back in vogue for distributing malware and other malicious content.”
