Pulse Detail — Threat Intelligence

PULSE NAME

Hackers hide malware in James Webb telescope images

WHITE dekaRituraj 2022-09-01 Modified: 2022-09-30

IOCs

LOW VOLUME

Threat analysts have spotted a new malware campaign dubbed ‘GO#WEBBFUSCATOR’ that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware. The malware is written in Golang, a programming language that is gaining popularity among cybercriminals because it is cross-platform (Windows, Linux, Mac) and offers increased resistance to reverse engineering and analysis.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1027 T1102 T1036 T1530 T1001 T1016 T1033 T1041 T1059 T1071 T1105 T1132 T1140 T1420 T1426 T1547 T1566 T1137.001

Indicators of Compromise (10)

All FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA256	383136adaf956f1fab03de8c1064f7b9119b5b656bedda7ce3137bebbb2a920f	—	2022-09-01
FileHash-SHA256	3bdf6d9f0f35be75d8345d897ec838ae231ba01ae898f6d0c8f920ff4061fc22	—	2022-09-01
FileHash-SHA256	d09af37cdbae7273e4e7c79b242023ffdb07c8ccab2280db7fe511d2b14ad19c	—	2022-09-01
FileHash-SHA256	da43ec30fe12c45529e51a0c986a856aa8772483875356f29382ac514788f86d	—	2022-09-01
domain	apiregis.com	—	2022-09-01
domain	updatesagent.com	—	2022-09-01
domain	xmlschemeformat.com	—	2022-09-01
hostname	c44352ssaweq.apiregis.com	—	2022-09-01
hostname	replacewithrandom.c44352ssaweq.apiregis.com	—	2022-09-01
hostname	www.xmlschemeformat.com	—	2022-09-01

References (2)

↗ https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/ ↗ https://www.bleepingcomputer.com/news/security/hackers-hide-malware-in-james-webb-telescope-images/