
Again, a bloody attachment
If you don't open it, you're fine.
When will people learn ?
On top of the fact that you hardly need to click on an attachment to view that particular pic. It's all over the Internet at this point.
Scumbags are using a photo from the James Webb Space Telescope to smuggle Windows malware onto victims' computers – albeit in a roundabout way. The malicious code, written in Go, is hidden in a .jpeg of the stunning first proper image taken by the recently deployed spacecraft. More specifically, the obfuscated code is Base64- …
From the article ...
"...The infection starts with a phishing email that contains a Microsoft Office attachment named Geos-Rates[.]docx that, when opened, downloads a malicious template file that contains an obfuscated VBA macro..."
Once again Microsoft Office is what allows things to happen... sigh...
I'd have thought the real problem here is that simply opening a document can execute something that claims to be a security certificate. Why? If it's meant to be a certificates,then at most the system should be reading its data and doing something with that data to verify it. Not treating it as binary executable code and actually executing it.
As I read the article, I think you have just fallen into a trap the bad guys set:
"There is a certificate involved, blame the OS for not protecting you"
or similar feelings expressed about the use of a JPEG...
The "certificate" was just used as a wrapper, so that if you spotted the download you'd not be suspicious. Then you'd see certutil.exe run: ok, what else would you use with a certificate? But it was just used to extract the next link in the chain.
(Similarly, the JPEG, abused to innocently carry a link in the chain)
At no point is the "certificate" intended to be handed 'properly' to the OS and hence, as you hoped, be validated: to the OS it is just another piece of downloaded stuff.
Now, you *could* demand that the OS examine every bit of data and validate it before letting any other process access it: now you have either invented the malware scanner or have effectively switched on autorun for everything that is ever downloaded (because you know full well that, for example, detecting that a file is "a certificate" and then running some autovalidation on it means another vulnerability will be found and the fake certs designed to exploit that).
But because of your reaction to the fact one link used a certificate, the bad guys now have you wasting time and energy talking about that - and, who knows, enough people follow suit and pressure OS writers, who add in the autorun scenario "as an extra precaution" (aka to be seen to be doing something) and bingo, attack surfaces grow and grow...
If you read the article, it doesn't.
It's an office macro that does that - the image file is just used to hide the malware code. The office macro runs code that pulls the payload out of the image file and runs that.
Still, it's still an issue.. Modifying your comment:
What sort of system attempts to execute code that downloads invisibly a payload from the internet and executes that, simply because the user tried to "view a document"
This post has been deleted by its author
What sort of system attempts to execute an image file?
A Von Neumann architecture system as opposed to a Harvard architecture system
Old dlls, not written with security in mind can be used to process old and/or esoteric image formats. Abuse of the image format allows malformed data to be presented to the dll, which can end up executing bits of memory it shouldn't, including data that can be carefully constructed parts of the image file.
I'm not saying Harvard architecture is the solution to all security ills, but it would make certain exploit methods pretty much unavailable.
McAfee: Analyzing CVE-2021-1665 – Remote Code Execution Vulnerability in Windows GDI+
Or for an older issue, where executable instructons are part of the WMF image format:
Wikipedia: Windows Metafile vulnerability and CVE-2005-4560 Detail
After the 7th July bombings in London (the day after the announcement that London would host the 2012 Olympic Games), there were some people who tried to use the it to obtain donations for families of the victims. I don't doubt that after the horrendous flooding in Pakistan there will be scam attempts on the Internet to similarly obtain donations to help the victims. In the UK you can donate safely through the Disasters Emergency Committee web site, just make sure it is the right one.
I just hope that talking about some of these languages and some of these types of articles don't discourage the use of those languages. Going roster actually very capable in gaining in popularity. P The fact that they are used for malicious purchases should not discourage anyone.
"By looking at the URL strings we can determine that the binary file was leveraging a DNS data exfiltration technique by sending unique DNS queries to a target C2 DNS server."
So therefore DNS over HTTPs/TLS won't protect you from this. Given that it's trivial to set up a few SOA name servers for temporary domains, the DNS requests can be split across multiple domains and recombined once logged. Requesting unique TXT or other records from your DNS over HTTPS provider will happily pass those requests straight to the malicious/compromised SOA DNS servers.
Intercepting DNS requests by DNS relay servers within the LAN at least allows local logging or filtering of requests to unauthorised domains. DNS/HTTPS bypasses this potential control.