Phishing with James Webb
Attack Methodology
Phishing Email
You receive a phishing email with a malicious file
Microsoft Office File
The attachment is a Microsoft Office file with a malicious macro. Upon opening the file and allowing the macro to run, the next step is triggered
James Webb Image File
The macro downloads the image file that contains the encoded code that gets converted to binary and saved on your system
Malicious Executable
At this stage the malicious executable does a bunch of things such as creating persistence, checking system weaknesses, etc. Then it goes on to opening doors for your system to be controlled or extraction of sensitive data
The Securonix Threat Labs has identified a new attack campaign by the name GO#WEBBFUSCATOR. The attack begins with a phishing/spearphishing email that contains a malicious attachment – Microsoft Office File with a malicious Macro. Once the user opens the file and allows the Macro to run, it goes on to download a large image file, which happens to be one of the first images taken by the James Webb Telescope.
Now, the image contains encoded code in base64 format that is decoded using the certutil tool and saved as msdllupdate.exe. This executable file employs quite a few obfuscation techniques to hide from anti-virus softwares. Further, the code is masqueraded as a digital certificate info within the image file. The reason the bad actors may have chosen the image file is for its large size that helps to conceal the large code inside and the fact that it is a beautiful and commonly shared picture that the victims or a security reviewer don’t suspect anything suspicious opening them.
This executable file does a bunch of tasks with one notable task to create persistence, i.e the malware will continue to function even after rebooting the system.
The primary objective of the malware appears to be command and control. The communication is estbalished with the executable sending masqueraded DNS requests that contain encrypted messages within the subdomain part of the DNS query to the C2 server hosted by the hackers. The executable could also be used for exfilterating sensitive information out of the victim’s system.