Hacker Uses James Webb Space Telescope Image for Malware Attack

A hacker has been using an image taken by the James Webb Space Telescope to load malware onto Windows computers. 

The malware-laden image is not currently detected by antivirus programs, according(Opens in a new window) to cybersecurity firm Securonix, which obtained a sample of the program.

The hacker is targeting victims through phishing emails containing a malicious Office document, which is designed to automatically download the malware on a victim’s PC. During the process, Securonix noticed the software includes an image taken by the James Webb Space Telescope.

The image itself is a jpg file and looks like the iconic photo of a region of space called SMACS 0723, which the space telescope captured earlier this year. But according to Securonix, the file contains hidden computer code, which can be viewed when the image is inspected with a text editor. 

(Credit: Securonix)

“The image contains malicious Base64 code disguised as an included certificate. At the time of publication, this particular file is undetected by all antivirus vendors according to VirusTotal,” Securonix wrote in a blog post. 

The hidden computer code essentially functions as the key building block for the main malware program. Specifically, the attack decodes the computer code from the image file into a Windows 64-bit program called msdllupdate.exe, which can then be executed on the Windows system. 

Securonix analyzed the malware program and found it’ll try to maintain persistence on a Windows computer by implanting a binary program “into the Windows registry Run key.” This will force the computer to launch the malware every time the system boots up. The malware is also designed to receive orders and communicate with the hacker’s command and control server. Hence, the attack can pave the way for a cybercriminal to spy on or remotely take over an infected system. 

It’s not the first time a hacker has used images for malware purposes. Over the years, security researchers have detected(Opens in a new window) cybercriminals using images as a stealthy way to hide their malware infections or to communicate with the malicious programs.

In this case, Securonix notes the malicious files that kick off the attack can only do so if macros and “child processes(Opens in a new window)” are enabled for Office products. Otherwise, the hacker’s tactics won’t be able to auto-execute. The company’s blog post(Opens in a new window) has more recommendations on how to detect and stop the attack.