Phishing with James Webb

The Securonix Threat Labs has identified a new attack campaign by the name GO#WEBBFUSCATOR. The attack begins with a phishing/spearphishing email that contains a malicious attachment – Microsoft Office File with a malicious Macro. Once the user opens the file and allows the Macro to run, it goes on to download a large image file, which happens to be one of the first images taken by the James Webb Telescope. 

Now, the image contains encoded code in base64 format that is decoded using the certutil tool and saved as msdllupdate.exe. This executable file employs quite a few obfuscation techniques to hide from anti-virus softwares. Further, the code is masqueraded as a digital certificate info within the image file. The reason the bad actors may have chosen the image file is for its large size that helps to conceal the large code inside and the fact that it is a beautiful and commonly shared picture that the victims or a security reviewer don’t suspect anything suspicious opening them. 

This executable file does a bunch of tasks with one notable task to create persistence, i.e the malware will continue to function even after rebooting the system. 

The primary objective of the malware appears to be command and control. The communication is estbalished with the executable sending masqueraded DNS requests that contain encrypted messages within the subdomain part of the DNS query to the C2 server hosted by the hackers. The executable could also be used for exfilterating sensitive information out of the victim’s system.