Hacker uses James Webb Space Telescope image for malware attack
A hacker uses an image taken by the James Webb Space Telescope to load malware onto Windows computers.
The malware-laden image is currently not detected by antivirus programs, according to(Opens in a new window) to cybersecurity firm Securonix, which obtained a sample of the program.
The hacker targets victims through phishing emails that contain a malicious Office document, which is designed to automatically download the malware to the victim’s PC. During the process, Securonix noticed that the software included an image taken by the James Webb Space Telescope.
The image itself is a jpg file and resembles the iconic photo of a region of space called SMACS 0723, which the space telescope captured earlier this year. But according to Securonix, the file contains hidden computer code, which can be viewed when the image is inspected with a text editor.
“The image contains malicious Base64 code disguised as an included certificate. At press time, this particular file is undetected by all antivirus vendors according to VirusTotal,” Securonix wrote in a blog post.
The hidden computer code basically functions as the building block of the main malicious program. Specifically, the attack decodes the image file’s computer code into a 64-bit Windows program called msdllupdate.exe, which can then be run on the Windows system.
Securonix analyzed the malware and discovered that it would try to maintain persistence on a Windows computer by implanting a binary program “into the Windows registry runtime key”. This will force the computer to launch the malware every time the system starts. The malware is also designed to receive commands and communicate with the hacker’s command and control server. Therefore, the attack can pave the way for a cybercriminal to spy on or take control of an infected system remotely.
Recommended by our editors
This is not the first time that a hacker has used images for malicious purposes. Over the years, security researchers have detected(Opens in a new window) cybercriminals use images as a stealth way to hide their malware infections or communicate with malicious programs.
In this case, Securonix notes that the malicious files that trigger the attack can only do so if the macros and “child processes(Opens in a new window)” are enabled for Office products. Otherwise, the hacker’s tactics will not be able to execute automatically. The company blog(Opens in a new window) has more recommendations on how to detect and stop the attack.
Do you like what you read ?
Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.