Experts spotted a new targeted phishing campaign that leverages a new obfuscation technique based on the Morse code to hide malicious URLs in an email attachment and bypass secure mail gateways and mail filters.
The Morse code encodes each letter and number in a series of dots and dashes.
BleepingComputer that first reported the news, confirmed that this is the first time that threat actors in the wild started using the Morse encoding for the malicious URLs in phishing.
The technique was initially detailed in a post on Reddit, now remouved (copy webcache), but BleepingComputer researchers were able to find multiple samples involved in this phishing campaign that were uploaded to VirusTotal since early February.
The campaign uses with subject ‘Revenue_payment_invoice February_Wednesday 02/03/2021.’ The HTML attachment appears to be an Excel invoice, the naming convention used is ‘[company_name]_invoice_[number]._xlsx.hTML.’
The HTML code includes a JavaScript that implements the Morse coding/decoding operations.
The script includes both morseCode() and morseDecode() functions to implement the novel phishing technique. The hexadecimal string corresponding to the encoded URL is further decoded into JavaScript tags that are injected into the HTML page.
“These injected scripts combined with the HTML attachment contain the various resources necessary to render a fake Excel spreadsheet that states their sign-in timed out and prompts them to enter their password again.” reads the post published by BleepingComputer.
Upon providing the password, it will be submitted to a remote site.
The threat actors used the logo.clearbit.comservice to insert logos for the recipient’s companies into the login form. In case the logo is not available, it will use a generic Office 365 logo.
BleepingComputer reported that at least eleven companies were targeted with this novel phishing technique. The list of the company is reported in the analysis published by BleepingComputer.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, phishing)
[adrotate banner=”5″]
[adrotate banner=”13″]