Golang Attack Campaign Tracked as GO#WEBBFUSCATOR Applies James Webb Space Telescope Images as Lures to Infect Systems
Table of contents:
The modern cyber threat landscape illustrates a growing trend in the use of Golang-based malware, which is actively adopted by multiple hacking collectives. Cybersecurity researchers have recently uncovered a novel Golang-based malicious campaign tracked as GO#WEBBFUSCATOR, in which hackers leverage a notorious deep field image taken from NASA’s James Webb Space Telescope as a lure to deploy malware on compromised systems.
GO#WEBBFUSCATOR Activity Detection: Novel Golang-Based Attack Campaign
Cybersecurity practitioners constantly strive to enrich their defensive toolkit to keep pace with the growing attack volumes. SOC Prime’s Detection as Code platform has recently released a curated Sigma rule crafted by the prolific Threat Bounty Program developer, Osman Demir, to help organizations timely identify the Golang-based malware strains spread in the ongoing GO#WEBBFUSCATOR attack campaign. Follow the link below to instantly gain access to the dedicated context-enriched Sigma rule available from SOC Prime’s Cyber Threats Search Engine:
Sigma rule to detect the malicious activity associated with the GO#WEBFUSCATOR attack campaign
This detection is compatible with 23 SIEM, EDR, and XDR solutions supported by SOC Prime’s platform and is aligned with the MITRE ATT&CK® framework addressing the Execution tactic and Command and Scripting Interpreter (T1059) as its primary technique.Â
By joining the ranks of SOC Prime’s crowdsourced initiative, Threat Bounty Program, detection content contributors can gain an opportunity to craft their own Sigma and YARA rules, share them with the global cyber defender community, and receive recurrent rewards for their contribution.
To help organizations stay ahead of attackers and proactively defend against Golang-based malware, which is being actively developed and distributed by cyber criminals, SOC Prime offers a comprehensive list of dedicated detection algorithms. Click the Explore Detections button below to reach the list of relevant Sigma rules to identify Golang-based threats accompanied by insightful contextual information, like MITRE ATT&CK and CTI links, mitigation recommendations, and more actionable insights.
GO#WEBBFUSCATOR Attack Analysis
Malware samples written in the Go-programming language have seen a 2,000% increase over the past couple of years, being actively leveraged in adversary campaigns by infamous APT groups, such as Mustang Panda and APT28. The Securonix Threat research team has recently uncovered a new Golang attack campaign known as GO#WEBBFUSCATOR. In this malicious campaign, hackers apply the legitimate James Webb Space Telescope images to hide malware samples written in the Golang programming language.
Adversaries exploit the phishing email attack vector to spread malware. The infection chain is triggered by the Microsoft Office attachment, which, if opened, downloads a malicious template file. The latter contains a VB script, which executes malicious code as soon as the compromised user enables the macro. The deobfuscated code downloads the JPG lure file illustrating a first deep field capture from the James Webb telescope, which turns out to be a malicious Base64-encoded payload. The malware applies sophisticated anti-analysis techniques and takes advantage of the Golang-based Gobfuscation tool available on GitHub to evade detection.
Attackers communicate with the C&C server via encrypted DNS queries and responses, allowing the malware to execute commands sent by the server through the use of the Windows command-line cmd.exe tool.
The ever-changing threat landscape requires ultra-responsiveness from cyber defenders. Search socprime.com to timely react to emerging threats and streamline threat investigation or make the most of enhanced cyber defense capabilities with customized Detection-as-Code content available on demand. Both aspiring and seasoned Threat Hunters and Detection Engineers can enrich collective industry expertise by authoring and monetizing detection content through collaboration with the SOC Prime Threat Bounty Program.