[BreachExchange] Hackers Spotted Using Morse Code in Phishing Attacks to Evade Detection

[Sophia Kingsbury]

https://thehackernews.com/2021/08/hackers-spotted-using-morse-code-in.html

Microsoft has disclosed details of an evasive year-long social engineering
campaign wherein the operators kept changing their obfuscation and
encryption mechanisms every 37 days on average, including relying on Morse
code, in an attempt to cover their tracks and surreptitiously harvest user
credentials.

The phishing attacks take the form of invoice-themed lures mimicking
financial-related business transactions, with the emails containing an HTML
file ("XLS.HTML"). The ultimate objective is to harvest usernames and
passwords, which are subsequently used as an initial entry point for later
infiltration attempts.

Microsoft likened the attachment to a "jigsaw puzzle," noting that
individual parts of the HTML file are designed to appear innocuous and slip
past endpoint security software, only to reveal its true colors when these
segments are decoded and assembled together. The company did not identify
the hackers behind the operation.

"This phishing campaign exemplifies the modern email threat: sophisticated,
evasive, and relentlessly evolving," Microsoft 365 Defender Threat
Intelligence Team said in an analysis. "The HTML attachment is divided into
several segments, including the JavaScript files used to steal passwords,
which are then encoded using various mechanisms. These attackers moved from
using plaintext HTML code to employing multiple encoding techniques,
including old and unusual encryption methods like Morse code, to hide these
attack segments

Opening the attachment launches a browser window that displays a fake
Microsoft Office 365 credentials dialog box on top of a blurred Excel
document. The dialog box shows a message urging the recipients to sign in
again due to reasons that their access to the Excel document has
purportedly timed out. In the event the user enters the password, the
individual is alerted that the typed password is incorrect, while the
malware stealthily harvests the information in the background.

The campaign is said to have undergone 10 iterations since its discovery in
July 2020, with the adversary periodically switching up its encoding
methods to mask the malicious nature of the HTML attachment and the
different attack segments contained within the file.

Microsoft said it detected the use of Morse code in the attacks' February
and May 2021 waves, while later variants of the phishing kit were found to
direct the victims to a legitimate Office 365 page instead of showing a
fake error message once the passwords were entered.

"Email-based attacks continue to make novel attempts to bypass email
security solutions," the researchers said. "In the case of this phishing
campaign, these attempts include using multilayer obfuscation and
encryption mechanisms for known existing file types, such as JavaScript.
Multilayer obfuscation in HTML can likewise evade browser security
solutions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210813/c7e82fd6/attachment.html>