By utilizing the infamous deep field image taken from the James Webb telescope the new campaign incorporates an equally interesting strategy.
The payload is obfuscated in order to make it more difficult for the malware to read the computer’s system, as these payloads are encrypted in the Golang programming language.
It has become more and more common for APT groups such as Mustang Panda and others to use malware based on Golang, which is on the rise.
There is a malicious template file in the document which is downloaded and stored as soon as the document is opened. If the user enables macros within the template file, then a VB script in the template will be invoked which will initiate the first phase of the code execution process.
The commands executed by deobfuscated code download a file that is known as:-
This is followed by decoding the data into binary form (msdllupdate.exe) by using certutil.exe and then executing it by finally decompressing it.
There is a lot of interesting information in the image file. The image displayed below shows how it is executed as a standard .jpg image.
The situation becomes more interesting, however, when the text is examined using a text editor. There is malicious code embedded in the image disguised as a certificate that encrypts Base64 data.
There has been a very interesting pattern of TTPs observed throughout the entire attack chain with GO#WEBBFUSCATOR.
However, here below we have mentioned all the recommendations:-
- Do not download unknown email attachments from sources you are not familiar with.
- By following Microsoft’s recommendations, you can prevent Office products from becoming the parent of child processes
- Make sure that you monitor DNS queries that seem suspicious and persistent, and/or repeated nslookup requests that are suspicious.
- Make sure to scan all the endpoints.