Cyber Attacks

Hackers uses Morse code in phishing attacks to hide detection


Microsoft revealed about a phishing attack group’s new techniques in which a ‘jigsaw puzzle’ technique plus unusual features like Morse code dashes and dots were used to hide its attacks.

The group uses invoices in Excel HTML or web documents to distribute forms that capture credentials for later hacking efforts. The technique bypasses traditional email filter systems.

Microsoft Security Intelligence states that the HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments.

The attachment looks like a jigsaw puzzle. The individual segments of the HMTL file may look harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show.

The main aim of the attack is to collect usernames and passwords, but it also collects profit data such as IP address and location to use for subsequent breach attempts.

This phishing campaign is unique due to the effort taken to encode the HTML file to bypass security controls.

The XLS.HTML phishing campaign uses social engineering to craft emails pretending to be regular financial-related business transactions. In some of the emails, attackers use accented characters in the subject line.

xls is used in the attachment file name to make users believe it to be an Excel file. When the attachment is opened, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. The dialog box may display information about its targets, such as their email address and, in some instances, their company logo.

The Morse Code element of the attack is used in conjunction with JavaScript. Morse code is an old and unusual method of encoding that uses dashes and dots to represent characters. This mechanism was observed in the February (“Organization report/invoice”) and May 2021 (“Payroll”) waves.

In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. While in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.

Image Credits : Commprise

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Accenture hit by LockBit Ransomware

    Previous article

    New Glowworm attack recovers device’s sound from LED Indicator

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *