Hackers are hiding malware in a James Webb Telescope image of ancient galaxy

Bad actors are taking advantage of the James Webb Space Telescope (JWST) popularity by hiding malware in the first public image shared by President Biden in July that shows a glowing galaxy that formed 4.6 billion years ago.

The image is being used in a phishing email campaign, in which attackers are hiding a malicious code in the photo that is released into victim’s computer systems when downloaded.

The attack, dubbed GO#WEBBFUSCATOR, was discovered by security experts at Securonix who said the malicious file ‘is undetectable by all antivirus systems.’

Securonix VP Augusto Barros told Popular Science that this specific JWST image may have been chosen because even if antivirus software does flag users, they may be more inclined to ignore the warning because this image has been shared around the world.

The original image was released on July 11 in an announcement from The White House.

It shows what NASA describes as the ‘sharpest infrared look at the distant universe to date.’

The image covers a patch of space approximately the size of a grain of sand held at arm’s length by someone on the ground – and reveals thousands of galaxies in the cluster dubbed SMAC 0723.

And cyberthieves are taking advantage of the image’s popularity by transforming it into a digital threat.

The image is being used in a phishing email campaign, in which attackers are hiding a malicious code in the photo that is released into victim’s computer systems when downloaded

Barros also told Popular Science that hackers may have chosen this image because of its high-resolution, which ‘helps reduce any suspicion related to the size of the file.’

A blog post shared by Securonix about the campaign states the first part of the ‘infection begins with a phishing email containing a Microsoft Office attachment.

‘The document includes an external reference hidden inside the document’s metadata which downloads a malicious template file.’

When the document is opened, the malicious template file is downloaded and saved on the system.

And the JWST image is presented as a standard JPEG, which helps it evade detection from both the user and antivirus systems. 

Barros also told Popular Science that this campaign also uses Golang, Google’s new programming language that just had its stable release on August 2.

The cybersecurity experts say Golang is quickly gaining popularity among cyberthieves.

AttacSecuronix VP Augusto Barros told Popular Science that this specific JWST image may have been chosen because even if antivirus software does flag users, they may be more inclined to ignore the warning because this image has been shared around the world

‘We are seeing evidence that this language is being adopted by malware developers. It makes it easier to develop cross-platform, network friendly software, which is what malware authors are developing,’ said Barros. 

‘It is interesting because it shows that malware developers follow the same pattern of adopting development tools according to their ‘requirements’ as any other developer.’

The deep field view of the ancient galaxy, taken by Webb’s Near-Infrared Camera (NIRCam), is a composite made from images at different wavelengths.

According to NASA, SMACS 0723 has a gravitational pull so powerful that it warps both space-time and the path that light subsequently travels through it.

The combined mass of this galaxy cluster operate as a gravitational lens and, according to NASA, ‘magnify and distort the light of objects behind them, permitting a deep field view into both the extremely distant and intrinsically faint galaxy populations’.

By studying this light, scientists want to learn about the origins of the cosmos, and possibly even catch a glimpse of the elusive photons