Hackers are using Morse code to bypass phishing controls
Hackers used Morse code to evade detection in a year-long phishing campaign, according to Microsoft researchers.
Researchers said the campaign, first spotted in July 2020, targeted Office 365 users and attempted to get them to hand over credentials using targeted, invoice-themed XLS.HTML attachments. The cyber criminals faked invoices in Excel HTML or web documents to distribute forms to steal information.
According to researchers, the campaign’s primary goal is to harvest usernames, passwords, and – in its more recent iteration – other information like IP address and location, which attackers use as the initial entry point for later infiltration attempts.
“The XLS.HTML phishing campaign uses social engineering to craft e-mails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. In some of the emails, attackers use accented characters in the subject line,” said researchers.
Researchers said that using XLS in the attachment file name prompts users to expect an Excel file. When the victim opens the attachment, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. “Notably, the dialog box may display information about its targets, such as their e-mail address and, in some instances, their company logo.”
Researchers added that hackers changed obfuscation and encryption mechanisms every 37 days on average, “demonstrating high motivation and skill to constantly evade detection and keep the credential theft operation running.” What stood out in this campaign was the level of obfuscation deployed.
“In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions,” said researchers.
One unusual obfuscation technique was the use of Morse code. Hackers used this in the February (‘Organization report/invoice’) and May 2021 (‘Payroll’) waves of the campaign.
“In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code,” researchers said.
Ⓒ Future Publishing
Professional Development for IT professionals
The mission of the Irish Computer Society is to advance, promote and represent the interests of ICT professionals in Ireland. Membership of the ICS typically reduces courses by 20%. Find out more
Subscribers 0
Fans 0
Followers 0
Followers