Hackers spotted using Morse code in phishing attacks to evade detection

Microsoft has disclosed details of an evasive year-long social engineering campaign in which operators continued to change their obfuscation and encryption mechanisms on average every 37 days, including relying on the Morse code, with the aim of confusing the tracks and surreptitiously harvesting user credentials.

Phishing attacks take the form of bill-themed decoys mimicking finance-related business transactions, emails containing an HTML file (“XLS.HTML”). The ultimate goal is to harvest usernames and passwords, which are then used as the initial point of entry for subsequent infiltration attempts.

Stack Overflow Teams

Microsoft has likened the attachment to a “puzzle,” noting that individual parts of the HTML file are designed to appear harmless and pass endpoint security software, to reveal its true colors when those segments are decoded and put together. The company has not identified the hackers behind the operation.

“This phishing campaign illustrates the modern email threat: sophisticated, evasive and ever-changing”, Microsoft 365 Defender Threat Intelligence Team noted in an analysis. “The HTML attachment is split into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. These attackers switched from plain HTML to using several coding techniques, including old and unusual encryption methods like Morse code, to mask these attack segments

Opening the attachment launches a browser window that displays a fake Microsoft Office 365 credentials dialog on top of a blurry Excel document. The dialog box displays a message prompting the recipients to reconnect because their access to the Excel document has allegedly expired. In the event that the user enters the password, the individual is alerted that the typed password is incorrect, while the malware stealthily collects the information in the background.

Prevent data breaches

The campaign has reportedly undergone 10 iterations since its discovery in July 2020, with the adversary periodically changing their encoding methods to mask the malicious nature of the HTML attachment and the various attack segments contained within the file.

Microsoft said it detected the use of Morse code in the waves of attacks in February and May 2021, while later variants of the phishing kit were found to direct victims to a legitimate Office 365 page instead of showing a fake error message after entering passwords. .

“Email-based attacks continue to make new attempts to bypass email security solutions,” the researchers said. “In the case of this phishing campaign, these attempts include the use of obfuscation and multi-layered encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can also evade browser security solutions.

Leave a Comment