A hacker has been using an image taken by the James Webb Space Telescope to
load malware onto Windows computers.
The malware-laden image is not currently detected by antivirus programs,
according
to cybersecurity firm Securonix, which obtained a sample of the program.
The hacker is targeting victims through phishing emails containing a
malicious Office document, which is designed to automatically download the
malware on a victim's PC. During the process, Securonix noticed the software
includes an image taken by the James Webb Space Telescope.
The image itself is a jpg file and looks like the iconic photo of a region
of space called SMACS 0723, which the space telescope captured earlier this
year. But according to Securonix, the file contains hidden computer code,
which can be viewed when the image is inspected with a text editor.
“The image contains malicious Base64 code disguised as an included
certificate. At the time of publication, this particular file is undetected
by all antivirus vendors according to VirusTotal,” Securonix wrote in a blog
post.
The hidden computer code essentially functions as the key building block for
the main malware program. Specifically, the attack decodes the computer code
from the image file into a Windows 64-bit program called msdllupdate.exe,
which can then be executed on the Windows system.
Securonix analyzed the malware program and found it’ll try to maintain
persistence on a Windows computer by implanting a binary program “into the
Windows registry Run key.” This will force the computer to launch the
malware every time the system boots up. The malware is also designed to
receive orders and communicate with the hacker’s command and control server.
Hence, the attack can pave the way for a cybercriminal to spy on or remotely
take over an infected system.
It’s not the first time a hacker has used images for malware purposes. Over
the years, security researchers have
detected
cybercriminals using images as a stealthy way to hide their malware
infections or to communicate with the malicious programs.
In this case, Securonix notes the malicious files that kick off the attack
can only do so if macros and “child processes” are enabled for Office products. Otherwise, the hacker’s tactics won’t be
able to auto-execute. The company’s
blog post
has more recommendations on how to detect and stop the attack.