Recent research conducted by Securonix Threat Research uncovered a persistent attack campaign using Golang. Securonix has identified this threat as GO#WEBBFUSCATOR, which is being tracked by the company.
By utilizing the infamous deep field image taken from the James Webb telescope the new campaign incorporates an equally interesting strategy.
The payload is obfuscated in order to make it more difficult for the malware to read the computer’s system, as these payloads are encrypted in the Golang programming language.
It has become more and more common for APT groups such as Mustang Panda and others to use malware based on Golang, which is on the rise.
Technical Analysis
APTs may be moving to the Go platform for a few reasons, which is why we are seeing more and more of them.
There is no doubt that Go binaries are considerably more complex when it comes to analyzing them and reverse engineering them as compared to other binary formats like:-
- C++
or
- C#
According to the report, As far as cross-platform support and compilation are concerned, Go is also a very flexible programming language.Â
In order to compile malware for multiple platforms, malware authors may use a common code base. While for this they use platforms like:-
- Windows
- *NIX
In the beginning, the infection is spread through phishing emails that contain Microsoft Office attachments (Geos-Rates.docx). A malicious template file is downloaded from the document’s metadata when an external reference is hidden within the metadata.
To pull down the form.dotm file, it attempts to disguise itself as a legitimate Microsoft URL by setting the “Target=” field.
- hxxp://www.xmlschemeformat.com/update/2021/Office/form.dotm
There is a malicious template file in the document which is downloaded and stored as soon as the document is opened. If the user enables macros within the template file, then a VB script in the template will be invoked which will initiate the first phase of the code execution process.
The commands executed by deobfuscated code download a file that is known as:-
- OxB36F8GEEC634.jpg
This is followed by decoding the data into binary form (msdllupdate.exe) by using certutil.exe and then executing it by finally decompressing it.
There is a lot of interesting information in the image file. The image displayed below shows how it is executed as a standard .jpg image.
The situation becomes more interesting, however, when the text is examined using a text editor. There is malicious code embedded in the image disguised as a certificate that encrypts Base64 data.
Recommendations
There has been a very interesting pattern of TTPs observed throughout the entire attack chain with GO#WEBBFUSCATOR.
However, here below we have mentioned all the recommendations:-
- Do not download unknown email attachments from sources you are not familiar with.
- By following Microsoft’s recommendations, you can prevent Office products from becoming the parent of child processes
- Make sure that you monitor DNS queries that seem suspicious and persistent, and/or repeated nslookup requests that are suspicious.
- Make sure to scan all the endpoints.
Download Free SWG – Secure Web Filtering – E-book
.webp "Beware of New Krampus Loader That Getting Popular in Dark Web")
