Hackers use Morse code in phishing attacks to hide detection

Microsoft unveiled a phishing attack group’s new strategy, which included a “jigsaw puzzle” technique as well as odd characteristics such as Morse code dashes and dots to disguise their attacks.

 

The gang distributes forms that harvest passwords for eventual hacking activities using invoices in Excel HTML or web documents. Traditional email filtering systems are bypassed by this method.

 

The HTML attachment is broken into many components, according to Microsoft Security Intelligence, including the JavaScript files required to harvest credentials, which are subsequently encoded using various processes.

 

To mask these attack portions, the attackers switched from plaintext HTML code to a variety of encoding schemes, including antiquated and strange encryption methods like Morse code.

 

The attachment has the appearance of a jigsaw puzzle. Individual parts of the HMTL file may appear innocent at the code level, allowing them to elude traditional security measures.

 

The nefarious intent is only revealed when these portions are put together and properly decoded.

 

The attack’s primary goal is to acquire usernames and passwords, but it also captures valuable data like IP addresses and locations to be used in future breaches.

 

The effort put into encoding the HTML page to get around security measures makes this phishing campaign stand out.

 

The XLS.HTML phishing effort uses social engineering to generate emails that appear to be legitimate financial transactions.

 

The subject lines of some of the emails contain accented characters.

 

The extension xls is used in the attached file name to give the impression that it is an Excel file.

 

When you open the attachment, it opens a browser window and overlays a blurred Excel sheet with a false Microsoft Office 365 credentials dialogue box.

 

The dialogue window may show data about its targets, such as their email address and, in certain cases, their company logo.

 

The attack’s Morse Code component is utilized in conjunction with JavaScript.

 

Morse code is an old and unusual form of encoding in which characters are represented by dashes and dots.

 

In the February (“Organization report/invoice”) and May 2021 (“Payroll”) waves, this technique was detected.

 

Links to JavaScript files were encoded in ASCII and then Morse code in the February iteration.

 

In May, the phishing kit URL’s domain name was encoded in Escape before the full HTML code was encoded in Morse code.

 

You might also like:

Accenture hit by LockBit Ransomware

Threat actor leaked a million stolen credit cards on dark web

FlyTrap Android malware attacks several Facebook accounts