{"id":19002,"date":"2021-08-16T18:16:00","date_gmt":"2021-08-16T18:16:00","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=19002"},"modified":"2021-08-16T21:33:16","modified_gmt":"2021-08-16T21:33:16","slug":"phishing-campaign-used-morse-code-to-evade-detection","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/networks\/phishing-campaign-used-morse-code-to-evade-detection\/","title":{"rendered":"Phishing Campaign Used Morse Code to Evade Detection: Microsoft"},"content":{"rendered":"

A phishing campaign that Microsoft security researchers have been tracking for about a year highlights not only the ongoing success of social engineering<\/a> efforts by hackers to compromise systems, but also the extent to which the bad actors will go to cover their tracks while stealing user credentials.<\/p>\n

In a blog post<\/a>, researchers with the Microsoft 365 Defender Threat Intelligence Team outlined how the cybercriminals changed tactics to evade detection, going so far as to change their obfuscation and encryption<\/a> mechanisms an average of every 37 days \u2013 including using older encryption methods like Morse code.<\/p>\n

The hackers make these relatively rapid changes in hopes of ensuring that their phishing efforts will go undetected for as long as possible, the researchers said.<\/p>\n

\u201cThis campaign\u2019s primary goal is to harvest usernames, passwords, and \u2013 in its more recent iteration \u2013 other information like IP address and location, which attackers use as the initial entry point for later infiltration attempts,\u201d the researchers wrote, noting that in previous comments<\/a> about the phishing campaign, the \u201ccomponents include information about the targets, such as their email address and company logo. Such details enhance a campaign\u2019s social engineering lure and suggest that a prior reconnaissance of a target recipient occurs.\u201d<\/p>\n

Invoice-Themed Lures<\/h2>\n

The cybercriminals are using invoice themes with financial messages to lure people into clicking on the emails and the contained HTML files, like \u201cXLS.HTML\u201d to prepare the users to expect an Excel file. The attachments themselves contain several segments. There are JavaScript files that are used to steal passwords, which are then encoded. Over time, the hackers have moved from using plaintext HTML code to using other coding techniques \u2013 such as Morse code and other encryption methods \u2013 to hide the segments, the researchers wrote.<\/p>\n

\"Morse<\/p>\n

Some of the code segments are housed in various open directories \u2013 rather than in the attachments themselves \u2013 and are called by encoded scripts.<\/p>\n

\u201cThis phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving,\u201d the Microsoft researchers wrote. \u201cIn effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HTML file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show.\u201d<\/p>\n

The emails mimic regular financial-related business transactions, in particular sending what appears to be vendor payment advice.<\/p>\n

Further reading: Microsoft Security Under Scrutiny After Recent Incidents<\/a><\/p>\n

Multiple Segments to Campaign<\/h2>\n

The segments include the email address of the target and a logo of the targeted user\u2019s organization, giving the email the air of authenticity. (If a logo isn\u2019t available, the Microsoft Office 365 logo is used instead.) When the user opens the attachment, a script loads an image of a blurred account, suggesting that the sign-in for entering the account has timed out. A dialog box is shown prompting the user to enter their password. When the user types in the password, an error message is shown.<\/p>\n

While that is going on, the malware is stealing the user\u2019s data.<\/p>\n

Attackers have created 10 iterations of the phishing campaign since Microsoft security researchers first came across it in July 2020. The lures have included such phrases as \u201cpayment receipt,\u201d \u201cpayroll\u201d and \u201ccontract.\u201d The encoding evolved from plaintext HTML to other methods, such as Escape, Base64 and Morse code, which was used in February and May.<\/p>\n

In May, the hackers included a new module that was used to grab the user\u2019s IP address and country data, which were sent to a command-and-control server. This is the information that the bad actors could use in combination with usernames and passwords to their initial entry point in later attempts to get into systems.<\/p>\n

Last month, another new twist was introduced. Using the term \u201cpurchase order\u201d as the lure, malware<\/a> no longer displayed a fake error message after the user typed their password, the researchers wrote. Instead, the phishing kit redirected the user to a legitimate Office 365 page.<\/p>\n

\"morse<\/p>\n

Whitelisting vs. Blacklisting<\/h2>\n

The techniques used by the attackers highlight the ongoing debate between whitelisting and blacklisting, according to John Bambenek, threat intelligence advisor at IT and security operations company Netenrich.<\/p>\n

\u201cIf we rely on blacklisting techniques, there are near infinite ways to obfuscate and code away detection of malicious behavior,\u201d Bambenek told eSecurity Planet<\/em>. \u201cIdeally we should focus on detecting what is benign and anything outside of that \u2013 such as the use of Morse code outside the Ham radio operator course \u2013 should be flagged and\/or blocked.\u201d<\/p>\n

Social Engineering Still a Problem<\/h2>\n

The attack detailed by Microsoft shows again how social engineering is the driver for such phishing campaigns and that only a little bit of personalization is needed to convince the target to share login credentials to corporate resources or to download a malicious app, Hank Schless, senior manager of security solutions at cybersecurity firm Lookout, told eSecurity Planet<\/em>.<\/p>\n

\u201cThis particular incident shows how attackers target individuals on particular cloud platforms, such as Microsoft Office, in order to steal corporate login credentials,\u201d Schless said. \u201cIt\u2019s not very complex for an attacker to build a web page that looks like a Microsoft login page and spoof the URL to appear legitimate at a quick glance.\u00a0As soon as the target enters their login credentials, the attacker can use them and log in from their own device and access corporate resources.\u201d<\/p>\n

Because login credentials are often the same for all work applications, the attacker can not only use them for Microsoft Office but for other software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) applications to get access to a company\u2019s most sensitive data, he said.<\/p>\n

Schless noted that phishing campaigns can be particularly effective on mobile devices like smartphones and tablets, which have \u201csimplified interfaces that hide many red flags indicative of phishing attacks.\u00a0They can also deliver phishing links through email, SMS, social media platforms, third-party messaging apps, gaming and even dating apps.”<\/p>\n

A Multi-Layered Approach Needed<\/h2>\n

A key defense is using a cloud access security broker (CASB)<\/a> solution that can detect anomalous logins and activity, which could indicate an account has been compromised. If a user who normally logs in from New York suddenly does so from Moscow a few minutes later, the solution can revoke the employee\u2019s access and prevent attackers from stealing data or launching a ransomware<\/a> attack, he said.<\/p>\n

The Microsoft researchers also recommended a comprehensive approach given the highly evasive and fast-evolving nature of the threat. This would include multi-layered and cloud-based machine learning models and dynamic analysis to inspect emails and attachments and determine the reputation of both the message sender and recipient. Built-in sandboxes<\/a> can examine files and URLs to determine if they\u2019re malicious.<\/p>\n

\u201cFor this phishing campaign, once the HTML attachment runs on the [Microsoft Defender for Office 365] sandbox, rules check which websites are opened, if the JavaScript files decoded are malicious or not, and even if the images used are spoofed or legitimate,\u201d they wrote.<\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n