Hackers are using Morse code to bypass phishing controls

JavaScript files were encoded in ASCII then in Morse to hide code

Hackers used Morse code to evade detection in a year-long phishing campaign, according to Microsoft researchers.

Researchers said the campaign, first spotted in July 2020, targeted Office 365 users and attempted to get them to hand over credentials using targeted, invoice-themed XLS.HTML attachments. The cyber criminals faked invoices in Excel HTML or web documents to distribute forms to steal information.

According to researchers, the campaign’s primary goal is to harvest usernames, passwords, and - in its more recent iteration - other information like IP address and location, which attackers use as the initial entry point for later infiltration attempts. 

"The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. In some of the emails, attackers use accented characters in the subject line," said researchers.

Researchers said that using XLS in the attachment file name prompts users to expect an Excel file. When the victim opens the attachment, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. “Notably, the dialog box may display information about its targets, such as their email address and, in some instances, their company logo.”

Researchers added that hackers changed obfuscation and encryption mechanisms every 37 days on average, “demonstrating high motivation and skill to constantly evade detection and keep the credential theft operation running.” What stood out in this campaign was the level of obfuscation deployed.

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastDownload now

"In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions," said researchers.

One unusual obfuscation technique was the use of Morse code. Hackers used this in the February ("Organization report/invoice") and May 2021 ("Payroll") waves of the campaign.

"In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code,” researchers said.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Researchers disclose top flaws abused by ransomware gangs
ransomware

Researchers disclose top flaws abused by ransomware gangs

20 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021
How do hackers choose their targets?
hacking

How do hackers choose their targets?

17 Sep 2021
Owner of DDoS for hire sites found guilty of hacking offences
distributed denial of service (DDOS)

Owner of DDoS for hire sites found guilty of hacking offences

17 Sep 2021

Most Popular

Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021