In order to hide malicious URLs in an email attachment, the novel obfuscation technique of using Morse code is being put to use by a new targeted phishing campaign.
The Morse code, invented by Samuel Morse and Alfred Vail is a way of transmitting messages across telegraph wire. Each letter and number is encoded as a series of dots (short sound) and dashes (long sound), while using the Morse code.
To hide malicious URLs in their phishing form to bypass secure mail gateways and mail filters, a threat actor began utilizing Morse code very recently.
This technique is also considered as a novel obfuscation technique since researchers couldn’t find any references to Morse code being put to use in any phishing attacks in the past.
Researchers were able to find numerous samples of the targeted attack uploaded to VirusTotal since February 2nd, 2021, after learning about it from a post on Reddit.
With a mail subject like ‘Revenue_payment_invoice February_Wednesday 02/03/2021’, the phishing attack starts with an email pretending to be an invoice for the company.
The email includes an HTML attachment named in a way that appears to be an invoice in Excel format for the company.
The malicious attachments are named in the format – ‘[company_name]_invoice_[number]._xlsx.hTML.’
When the attachment in viewed in a text editor it is noticed that the threat actors include JavaScript that maps letters and numbers to Morse code.
For example – the letter ‘a‘ is mapped to ‘.-‘ and the letter ‘b‘ is mapped to ‘-…‘, as shown below.
A decodeMorse() function is called by the script to decode a Morse code string into a hexadecimal string. This string is further decoded into JavaScript tags that are injected into the HTML page.
Combined with the HTML attachment, these injected scripts contain the various resources necessary to render a fake Excel spreadsheet that states their sign-in timed out and prompts them to enter their password again.
The attackers can collect the login credentials, once a user enters their password in the site which will then submit the password to a remote site.
In this highly targeted campaign, the threat actor is using the logo.clearbit.comservice to insert logos for the recipient’s companies into the login form to make it more convincing. Give the logo is not available, it uses the generic Office 365 logo, as shown in the image above.
According to researchers, eleven companies have been targeted by this phishing attack including SGS, Dimensional, Metrohm, SBI (Mauritius) Ltd, NUOVO IMAIE, Bridgestone, Cargeas, ODDO BHF Asset Management, Dea Capital, Equinti, and Capital Four.
With email gateways getting better at detecting malicious emails, phishing scams are becoming more intricate every day. Due to this, users need to pay more attention to URLs and attachment names before submitting any information. If in any case, they find anything suspicious, then users should contact their network administrators to investigate it further.
It is critical to make sure that Windows file extensions are enabled to make it easier to spot suspicious attachments since phishing emails are now using attachments with double-extension (xlxs and HTML).
To read more, please check eScan Blog
