Scammers are using a Webb Telescope photo to hide complex malware

Security experts say the Webb Telescope image isn't even the most impressive part of the malware campaign.
Photo of galaxies in space taken by NASA's James Webb Telescope
This image is safe to enjoy. NASA, ESA, CSA, and STScI

Cyberthreat experts at the security analytics and operations management platform, Securonix, have uncovered a new computer security threat that utilizes the James Webb Space Telescope‘s first public image, SMACS 0723, as a component in its impressively complex malware campaign.

Dubbed “GO#WEBBFUSCATOR,” the multistep attack first originates as a typical phishing email (Securonix’s sample pushed false satellite phone service plans) containing a file made to look like Microsoft Office document attachment. When downloaded, the program will subsequently run if a user has certain Word macros enabled, at which point it downloads an additional file—in this case, the Webb Telescope’s SMACS 0723 photo fronting a Base64 code. Once executed, the malware runs various tests to determine a computer’s weaknesses for the hackers to then further exploit.

[Related: James Webb Space Telescope first images are here.]

Interestingly, the Webb Telescope image isn’t employed as intriguing bait for unsuspecting victims; in fact, they aren’t even supposed to ever see it. As Augusto Barros, Vice President and self-described “Cybersecurity Evangelist” at Securonix, explains, there are still very good reasons for the choice of image. “If it is flagged for review by an anti-malware solution, the reviewer may overlook it as it’s been an image shared through multiple channels lately,” he says, adding that “As the high-resolution images from James Webb Space Telescope are also massive, it also helps reduce any suspicious related to the size of the file.”

Despite the malware’s name, Barros argues that utilizing an image from the Webb Telescope isn’t even the most fascinating aspect of GO#WEBBFUSCATOR, but rather the coding language used to construct it: Go, also known as Golang. First unveiled in 2009, Go is a relatively new programming language that has quickly gained popularity its cross functionality across operating systems, and only just had its stable release on August 2.

“We are seeing evidence that this language is being adopted by malware developers. It makes it easier to develop cross-platform, network friendly software, which is what malware authors are developing,” says Barros. “It is interesting because it shows that malware developers follow the same pattern of adopting development tools according to their ‘requirements’ as any other developer.”

[Related: How to remove malware from your suffering computer.]

Although GO#WEBBFUSCATOR’s end-goal remains unclear, it’s still a particularly nasty and ingenious way to infect countless victims’ devices, both in its coding language and Trojan horse tactics. Regardless, it’s probably best to continue getting all the newest, beautiful Webb Space Telescope images directly from the source. Or, you know, from your friendly fellow admirers here at PopSci.