[ad_1]
A new targeted phishing campaign includes the new obfuscation technique of using Morse code to hide malicious URLs in an email attachment.
Samuel Morse and Alfred Vail invented Morse code as a means of transmitting messages over a telegraph wire. When using Morse code, each letter and number is encoded as a series of dots (short sound) and dashes (long sound).
Beginning last week, a threat actor began using Morse code to mask malicious URLs in their form of phishing to bypass secure email gateways and email filters.
BleepingComputer could not find any reference to Morse code used in phishing attacks in the past, making it a new obfuscation technique.
The new Morse code phishing attack
After learning about this attack from a post on Reddit, BleepingComputer was able to find numerous samples of the targeted attack uploaded to VirusTotal since February 2, 2021.
The phishing attack begins with an email claiming to be an invoice for the company with an email subject line like “Revenue_payment_invoice February_Wednesday 03/02/2021”.
This email includes an HTML attachment named to appear as an Excel invoice to the business. These attachments are named in the format ‘[company_name]_invoice_[number]._xlsx.hTML. ‘
For example, if BleepingComputer were targeted, the attachment would be named “bleepingcomputer_invoice_1308._xlsx.hTML”.
When you view the attachment in a text editor, you can see that it includes JavaScript that maps letters and numbers to Morse code. For example, the letter ‘a‘is mapped to’.-‘and the letter’b‘is mapped to’-…‘, as shown below.
The script then calls a decodeMorse () function to decode a Morse code string into a hexadecimal string. This hexadecimal string is then decoded into JavaScript tags which are injected into the HTML page.
These injected scripts combined with the HTML attachment contain the various resources needed to render a fake Excel spreadsheet that says their connection has timed out and prompts them to re-enter their password.
After a user enters their password, the form submits the password to a remote site where attackers can collect login information.
This campaign is highly targeted, with the threat actor using the logo.clearbit.com service to insert logos for the recipient’s businesses into the login form to make it more compelling. If a logo isn’t available, it uses the generic Office 365 logo, as shown in the image above.
BleepingComputer has seen eleven companies targeted by this phishing attack, including SGS, Dimensional, Metrohm, SBI (Mauritius) Ltd, NUOVO IMAIE, Bridgestone, Cargeas, ODDO BHF Asset Management, Dea Capital, Equinti and Capital Four.
Phishing scams are getting more complex every day as email gateways improve the detection of malicious emails.
For this reason, everyone should pay close attention to URLs and attachment names before submitting information. If anything looks suspicious, recipients should contact their network administrators to further investigate.
Since this phishing email uses dual extension attachments (xlxs and HTML), it is important to make sure that Windows file extensions are enabled to make it easier to detect suspicious attachments.
[ad_2]
Source link