James Webb Images Being Used by Hackers to Store Computer Viruses

Hackers have been using the iconic James Webb Space Telescope image known as Webb's First Deep Field to infect computers with viruses, a cybersecurity company has said.

The online threat was identified by online security firm Securonix and outlined in a blog post on its website on Tuesday.

The spread of the malware starts when a user receives an email that contains a Microsoft Office attachment. Upon opening this attachment, a malicious file is downloaded onto the user's computer that then automatically starts executing commands.

One such command is to download an image file that, when opened, presents the user with a version of the following image.

Webb's First Deep Field
A cropped version of the Webb's First Deep Field image, taken by the James Webb Space Telescope and released by NASA in a White House event on July 11, 2022. The image has been used by hackers to store malware. NASA/ESA/CSA/STScl

This image is Webb's First Deep Field. It gained huge popularity in July this year when it was revealed by NASA as one of the first proper scientific images released by the James Webb Space Telescope, which was launched in December 2021.

What Webb's First Deep Field shows is a vast cluster of galaxies known as SMACS 0723. It was the deepest and sharpest infrared image of the universe ever taken when NASA published it, and it includes glimpses of galaxies that existed when the universe was less than a billion years old—the universe is thought to be about 13.7 billion years old today.

The image downloaded by the malicious file might evoke feelings of wonder, but it is not what it seems. Hidden within the image's code is a dangerous command function that, when automatically decoded, copies itself and allows an external user such as a hacker access to your computer.

Securonix stated that the dangerous file was undetected by all antivirus vendors that it checked using VirusTotal. However, antivirus software company Malwarebytes said in a blog post that their software was able to detect and quarantine the threat, identified as an executable file called Msdllupdate.exe.

In any case, with this access, the hacker could choose to take control of the computer or obtain sensitive data.

Securonix said that using an image to spread this particular type of code was "not very common" and "something we are tracking closely."

The programming language used to make the malware is known as Golang, which some threat actors have started to use according to Malwarebytes. Since this language is cross-platform, it can be used with the aim of penetrating as many systems as possible.

Securonix states that the malicious files are set to be executed if the user enables macros, a term referring to processes that are carried out automatically. Unfortunately, macros can be used by hackers to spread malware easily using legitimate systems.

In February this year, Microsoft said it would begin disabling untrusted macros by default in five of its Office apps.