• Home
  • /Learn
  • /New Golang Malware Leverages NASA's Images to Deliver Ransomware
background image


New Golang Malware Leverages NASA's Images to Deliver Ransomware


The incidence of ransomware attacks nearly doubled in 2021. According to Verizon's data breach investigation reports, ransomware attacks now account for 10% of all security breaches.

NASA's images are the latest target of a new ransomware campaign that is using them to deliver its payload. The new campaign, which was published by the Securonix Threat Labs, and first reported by Bleeping Computer, shows how a Golang-based attack is using the image of galaxy cluster SMACS 0723 to hide a malicious Windows executable.

Securonix is tracking the attack campaign in question as GO#WEBBFUSCATOR.

What is Golang malware?

Ransomware is a malware type that stops users from accessing their resources, system files, personal details, etc., by encrypting the files and the system. Hackers offer a key to decrypt the files and the system if a victim pays a ransom. 

Agenda Ransomware is a new ransomware strain written in the Golang language that was spotted in the wild. It targets educational and healthcare institutions in countries like Saudi Arabia, Thailand, Indonesia, and South Africa. Trend Micro researchers said, "Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run." 

This malware dubbed GO#WEBBFUSCATOR is running a persistent campaign, increasing the preference of malware operators for the Go programming language. This malware creator preferred Golang because it supports cross-platform code execution, allowing hackers to target various operating systems via a shared codebase. They bind the malware with the popular images so that anyone who opens it for educational or research purposes gets infected.

Qilin is the threat actor behind this malware. The malware allows tailoring of its binary payloads for each victim, enabling the operators to determine what to provide on the ransom note or encryption algorithms and the extensions to utilize. The tweaking of binary payload allows its operators to decide what process list and services to terminate before executing its encryption for locking the system. 

Additionally, this Golang malware evades detection by leveraging the safe mode feature. Once it successfully encrypts all the files and the entire system, it changes the file name and extension to a pre-configured one. Then it will drop a ransom note on every encrypted directory so that when the victim opens any computer directory, they get a ransom note. After executing these processes successfully, it reboots the system in normal mode. Researchers found that the ransomware amount demanded ranges between $50,000 and $800,000.

How the image-based malware attack works

According to the report, the researchers of Securonix Threat Lab – T. Peck, D. Iuzvyk, and O. Kolesnikov – highlighted that in the malware campaign, the attackers use phishing emails containing MS Office attachments named Geos-Rates.docx. When a victim opens the email attachment, it auto-executes an obfuscated VBA macro. This macro downloads a picture file named OxB36F8GEEC634.jpg. In the beginning, it will look like a deep field image from the telescope. But in reality, it is a Base64-encoded payload of size 1.7MB. 

It can easily bypass anti-malware solutions. Also, it employs a technique called "gobfuscation" (Go obfuscation) by leveraging a Golang obfuscation tool (available on GitHub). Researchers further added that attackers use encrypted DNS queries/responses for communication via the C2 server. It can also accept and execute remote commands through the server's Windows Command Prompt.

Malware prevention best practices

  • It is essential to train employees and raise awareness so that they do not download attachments from malicious email senders.

  • To protect data, enterprises should encrypt it using secure algorithms. That way, even if the data is encrypted, cybercriminals can't do anything with it, and the enterprise won't have to pay a ransom.

  • Enterprises should enable robust defence strategies through network traffic analyzers, web filtering, firewalls, endpoint scanning, anti-ransomware solutions, Identity and Access Management solutions, etc.

  • Enterprises should hire robust incident response security professionals or patch management experts to resolve attacks or identify any system vulnerability to restore normalcy immediately after the attack.

Sign up for our newsletter

Get the latest blog posts in your inbox biweekly!