adUnits.push({
code: ‘Rpp_tecnologia_mas_tecnologia_Nota_Interna1’,
mediaTypes: {
banner: {
sizes: (navigator.userAgent.match(/iPhone|android|iPod/i)) ? [[300, 250], [320, 460], [320, 480], [320, 50], [300, 100], [320, 100]] : [[300, 250], [320, 460], [320, 480], [320, 50], [300, 100], [320, 100], [635, 90]]
}
},
bids: [{
bidder: ‘appnexus’,
params: {
placementId: ‘14149971’
}
},{
bidder: ‘rubicon’,
params: {
accountId: ‘19264’,
siteId: ‘314342’,
zoneId: ‘1604128’
}
},{
bidder: ‘amx’,
params: {
tagId: ‘MTUybWVkaWEuY29t’
}
},{
bidder: ‘oftmedia’,
params: {
placementId: navigator.userAgent.match(/iPhone|android|iPod/i) ? ‘22617692’: ‘22617693’
}
}]
});
James Webb and the high-resolution images of the universe it captures have become a new means by which cybercriminals they scam and distribute malware to their potential victims. through the campaign “GO#WEBBFUSCTOR” based on letters from phishingmalicious files and the aforementioned space images, hackers began to distribute computer viruses to various users.
According to the firm’s report securonicsthe domains for the campaign were registered on May 29, 2022 and the malware is written in golanga programming language that has become popular among hackers because it is cross-platform, that is, it works with Windows, Linux D Poppy. In addition, it provides increased resistance to reverse engineering and analysis by cybersecurity experts.
From what is stated in the report, it is known that the author of this threat sends payloads that are not marked as malicious by the engines. antivirus scanning platform VirusTotal.
James Webb Image Infection Chain
The firm’s report mentions that the infection begins with a phishing email with a malicious attachment named “Geos-Rates.docx” which is loaded into the template. This file contains a VBS macro that runs automatically if Office macros are enabled. Then this code loads a JPG image named “OxB36F8GEEC634.jpg” remote resource xmlschemeformat[.]com” decode it into an executable using certutil.exe to run it.
With the image viewer you can see JPG file shows a cluster of galaxies SMAX 0723photographed with the James Webb Telescope POT in July 2022. While at first glance it appears to be a harmless copy of this photo, opening it in a text editor reveals that the image contains additional information disguised as the attached certificate. This is a payload encoded in Base64 which is then converted into a malicious 64-bit executable.
What is hidden malware doing in James Webb’s images?
Based on the results of dynamic analysis, malware ensures its permanence in the command by copying itself to the address “%%localappdata%%microsoftvault” from the storage unit and adding a new registry key. Once launched on the system, the malware establishes a DNS connection with command and control server (C2) to send encrypted requests.
Encrypted messages are read and decrypted in C2 serverthus revealing its original content.points out Securonix and further mentions that C2 can respond to malware by setting time intervals between connection requests, changing the nslookup timeout, or sending commands to be executed using the cmd.exe tool. Window.
In the course of tests conducted by the firm, it was found that the authors of this cyber threat they ran arbitrary numbering commands on their test systems, which was the first step towards standard recognition.
We recommend you METADATA, an RPP tech podcast. News, analytics, reviews, recommendations and everything you need to know about the world of technology. To hear better, #StayHome.
Source: RPP
I’m Liza Grey, an experienced news writer and author at the Buna Times. I specialize in writing about economic issues, with a focus on uncovering stories that have a positive impact on society. With over seven years of experience in the news industry, I am highly knowledgeable about current events and the ways in which they affect our daily lives.