Hackers Used Morse Code to Hide Malicious URLs

As part of a targeted new phishing campaign, hackers used a new obfuscation tactic of using Morse code to hide malicious URLs in an email attachment and bypass mail gateways and filters.

The malicious campaign was reported by a Reddit user. The phishing attack begins by sending an email disguised as an invoice for a company with the subject line “Revenue_payment_invoice February_Wednesday 02/03/2021”. The email contains an HTML attachment with a title that looks like an Excel company invoice - "[company_name] _invoice_ [number] ._ xlsx.hTML".

When you view the attachment in a text editor, you may find JavaScript code that maps letters and numbers to Morse code. For example, the letter "a" appears in ".-" and the letter "b" appears in "-...".

The script then calls the decodeMorse () function to decode the Morse code string into a hexadecimal string. The string is then decoded into JavaScript tags, which are inserted into the HTML page.

These embedded scripts, combined with an HTML attachment, contain various resources required to display a fake Excel spreadsheet stating that they have timed out and prompting for a password again. As soon as the user enters his password, the form submits the data to a remote site controlled by the attackers.

The campaign is targeted - attackers use the logo.clearbit.com service to insert recipient company logos into the login form to make it more convincing. If no logo is available, the generic Office 365 logo is used.

Previous Post Next Post