Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Morse Code. Show all posts

Phishing Attackers Spotted Using Morse Code to Avoid Detection

 

Microsoft has revealed details of a deceptive year-long social engineering campaign in which the operators changed their obfuscation and encryption mechanisms every 37 days on average, including using Morse code, in an attempt to hide their tracks and steal user credentials. 

One of numerous tactics employed by the hackers, who Microsoft did not name, to disguise harmful software was Morse Code, a means of encoding characters with dots and dashes popularised by telegraph technology. It serves as a reminder that, despite their complexity, modern offensive and defensive cyber measures are generally based on the simple principle of hiding and cracking code. 

The phishing attempts take the shape of invoice-themed lures that imitate financial-related business transactions, with an HTML file ("XLS.HTML") attached to the emails. The ultimate goal is to collect usernames and passwords, which are then utilized as an initial point of access for subsequent infiltration attempts. 

The attachment was compared to a "jigsaw puzzle" by Microsoft, who explained that individual pieces of the HTML file are designed to appear innocuous and slip by the endpoint security software, only to expose their true colors when decoded and joined together. The hackers that carried out the attack were not identified by the company.

"This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving," Microsoft 365 Defender Threat Intelligence Team said in an analysis. “On their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions." 

When you open the attachment, a counterfeit Microsoft Office 365 credentials dialogue box appears on top of a blurred Excel document in a browser window. The dialogue box displays a message requesting recipients to re-sign in since their access to the Excel document has allegedly expired. When a user types in a password, the user is notified that the password is incorrect, while the virus stealthily collects the information in the background. Since its discovery in July 2020, the campaign is reported to have gone through ten iterations, with the adversary occasionally changing up its encoding methods to hide the harmful nature of the HTML attachment and the many assault segments contained within the file. 

According to Christian Seifert, lead research manager at Microsoft's M365 Security unit, the hackers have yet to be linked to a known group. “We believe it is one of the many cybercrime groups that defraud victims for profit,” Seifert said.

Threat Actors are Targeting Users Via New Phishing Campaign

 

Threat actors are using Morse code – ‘the novel obfuscation technique’ for targeted phishing campaigns. This technique is known for the code language for Army and security services, by this technique, threat actors are able to hide the email attachment containing malicious URLs.

Last week hackers used the morse code in the phishing emails to bypass secure mail gateways and mail filters. Bleeping Computer discovered the strike on various samples which were uploaded on 2nd February 2021 to VirusTotal. Threat actors targeted the company by sending a malicious email posing to be an invoice for the company. 

This mail looks like – “Revenue_payment_invoice February_Wednesday 02/03/2021” including the HTML attachment for the invoice as [company_name] _ invoice _ [number]._xlsx.html.

The attachment contains mapped letters and numbers then calling out to the decodeMorse() function into a hexadecimal string to decode a Morse code string. The JavaScript is inserted into the code holding assets to provide a fake file asking users for the password permitting threat actors to gain access.

Threat actors are tricking users by using the logo-clearbit.com service to make the form look more convincing, in case the logo is not available then the logo of generic Office 365 is used. The other companies which have suffered due to this phishing attack are Dimensional, Metrohm, SBS, Nuovo IMAIE, ODDO BHF Asset Management, SGS, Dimensional, SBI (Mauritius) Ltd., Bridgestone, Cargeas, Equinti, Capital Four, and Dea Capital.

Morse code was invented by the American artist and inventor Samuel F.B. Morse during the 1830s for electrical telegraphy and further upgraded by American scientist and businessman Alfred Lewis Vail. It is a technique used in telecommunication to encode text characters by an arrangement of dots, dashes, and spaces.