Pulse Detail — Threat Intelligence

PULSE NAME

New Golang Attack Campaign Leverages Office Macros and James Webb Images to Infect Systems

WHITE AlienVault 2022-08-31 Modified: 2022-09-30

IOCs

LOW VOLUME

The Securonix Threat research team has recently identified a unique sample of a persistent Golang-based attack campaign tracked by Securonix as GO#WEBBFUSCATOR. The new campaign incorporates an equally interesting strategy by leveraging the infamous deep field image taken from the James Webb telescope and obfuscated Golang programming language payloads to infect the target system with the malware.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1027 T1102 T1036 T1530 T1001 T1016 T1033 T1041 T1059 T1071 T1105 T1132 T1140 T1420 T1426 T1547 T1566 T1137.001

Indicators of Compromise (10)

All FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA256	383136adaf956f1fab03de8c1064f7b9119b5b656bedda7ce3137bebbb2a920f	—	2022-08-31
FileHash-SHA256	3bdf6d9f0f35be75d8345d897ec838ae231ba01ae898f6d0c8f920ff4061fc22	—	2022-08-31
FileHash-SHA256	d09af37cdbae7273e4e7c79b242023ffdb07c8ccab2280db7fe511d2b14ad19c	—	2022-08-31
FileHash-SHA256	da43ec30fe12c45529e51a0c986a856aa8772483875356f29382ac514788f86d	—	2022-08-31
domain	apiregis.com	—	2022-08-31
domain	updatesagent.com	—	2022-08-31
domain	xmlschemeformat.com	—	2022-08-31
hostname	c44352ssaweq.apiregis.com	—	2022-08-31
hostname	replacewithrandom.c44352ssaweq.apiregis.com	—	2022-08-31
hostname	www.xmlschemeformat.com	—	2022-08-31

References (1)

↗ https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/