September 1, 2022

STOP! Have you seen this image? Combatting the James Webb Telescope Image Malware Attack

Petko Stoyanov

On August 31, Securonix Threat Labs published a threat research piece pulling back the curtain of a new malware attack. Involving a phishing email, a deceiving Microsoft Office attachment and the first full-colour image taken from the James Webb Telescope, SMACS 0723.

James Webb Telescope - First full-color image

(image: https://www.nasa.gov/image-feature/goddard/2022/nasa-s-webb-delivers-deepest-infrared-image-of-universe-yet)



The attack titled: GO#WEBBFUSCATOR is a complex, multi-stage malware attack designed to infiltrate your computer.

To the best of Securonix’s knowledge, “this campaign has been targeting a range of victims in different countries.” At the time they published their research, this attack was undetected by ALL antivirus vendors, according to VirusTotal:

Securonix image(image: https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/)


The Transition from Detection to Prevention:

This has been an ongoing problem with antivirus since its creation in 1987, when Bernd Robert, a German computer security expert created a program to get rid of the first ever .com virus, the Vienna Virus. Since then, the growth of the antivirus industry has continued, developing into what it is today. With one small flaw. We are still reliant on detection-based technologies, such as antivirus, that detect only what they have seen before. Meaning that new, un-seen attacks slip right through traditional defences.

That’s where Forcepoint’s Zero Trust Content Disarm and Reconstruction (CDR) is different. Rather than trying to detect malware, it assumes nothing can be trusted, mitigating against the threat of even the most advanced zero-day attacks and exploits, such as the GO#WEBBFUSCATOR.


Stopping the GO#WEBBFUSCATOR attack:

This complex malware attack comprises of two stages, which combines steganography, native windows tools, and multi-stage embedded malicious content, built to bypass traditional network-based security. We are going to showcase how Zero Trust CDR will stop all stages of this attack, even before it was brought to light.

Stage 1

The attack begins with a phishing email and a Microsoft Office document attachment. Hidden inside the document is underlying XML containing an external reference designed to download the malicious template file and executing using native tools on windows

The image below is from the original document that references the malicious Macro (contained within a remote template.) Line three of the settings.xml references an “attachedTemplate” – this is in reference to a malicious Macro that is automatically pulled down from the malicious domain: XMLSchemeFormat[.]com.

 Malicious doman - XMLSchemeFormat[.]com

However, if Zero Trust Content Disarm & Reconstruction (CDR) was integrated, the document would have been processed before being downloaded. The useful information extracted, transformed into an intermediary format, and built into a brand new document before being opened by the user.

Once the GO#WEBBFUSCATOR word document has been cleaned and transformed by Zero Trust CDR, the following XML would be found instead of the original as shown below.


Stage 2

If stage 1 is successful in executing the malicious template file, then the malicious image, SMACS 0723, is pulled down from the internet and executed from the Macros that have ran in the Microsoft Word document.

The image below is the original, as you can see it contains the following Base64 encoded EXE within the pixel array of the JPEG itself:

Base64 encoded EXE within the pixel array

This is a normal way to see an image if you were to open an image as a text file. The malicious EXE is no longer present in the textual view of the image due to the Zero Trust CDR process, rendering your computer safe from the embedded malware.
Text file view of the image

Meaning that the second stage of the attack is, as was the first, is foiled.

The use of images has long been used to exfiltrate data from organizations. This is a multi-stage attack that combines steganography, native windows tools, and multi-stage embedded malicious content to bypass traditional network-based security.


Why is this so hard to detect?

Below are the side-by-side images of the first full-colour image taken from the James Webb Telescope, SMACS 0723. One contains malicious code that will execute an attack designed to infiltrate your computer with malware and the other is a safe, malware free image.


Which one is dangerous?


The images are visually identical. The resolutions detail is identical:

The images are visually the same; the resolution is identical


The only difference is their file size.

It is impossible for us to rely on the everyday employee to know the difference, and, as shown by the GO#WEBBFUSCATOR attack, we are unable to rely on detection based defences, such as antivirus, to keep us safe. We must now evolve our thinking when it comes to cybersecurity, integrating technologies such as Zero Trust CDR to ensure the security of organisations, now and in the future.


Integrating Zero Trust CDR with your Security Defences:

The un-matched protection that Zero Trust CDR provides also brings great connectability, due to its versatile design. Proving that the benefits of a layered defence is second to none when using Zero Trust CDR to enhance an organizations protection. In fact, here's what Forcepoint Vice President, Eric Trexler, had to say: 

I cannot think of another type of tool that would remove this type of attack as easily or as effectively out of the box from day one.  This is powerful.”


The cyber security community has spent decades detecting these types of attacks. We have millions of detection techniques and yet we are not any safer from these attacks.

This is a multi-stage attack one that includes email web, native endpoint tools, steganography and DNS exfil—making detection unreliable.

These types of techniques, once believed to be reserved for nation states targeting governments and financial organizations are now targeting all organizations without bias. Cybercrimes are also using these same techniques to bypass perimeter defence security, hide in the noise and exfil data using steganography to publicly trusted websites. We need to shift left and focus on preventing these types of attacks using proven prevention rather than relying on detection.

Petko Stoyanov

Petko Stoyanov serves as Forcepoint's Global Chief Technology Officer. He focuses on strategy, technology and go-to-market for  enterprise-focused solutions across the government verticals in Australia, Canada, New Zealand, United Kingdom, and the United States.

Read more articles by Petko Stoyanov

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.