Some things seem to come full circle. Morse Code was invented in the 1800’s by Samuel Morse when he worked with an electrical telegraph system sending pulses of electric current and an electromagnet. His code used the pulse and breaks between them to transmit information. Popular with amateur radio operators, this code is no longer required if you want to get a pilots or air traffic controller license, though these individuals often have a basic understanding of the code. Morse code is a method used in telecommunication to encode text characters as standardized sequences of two different signal durations, called dots and dashes, or dits and dahs.[1]
BTW . . . - - - . . . is the international Morse Code for S.O.S. or “HELP”
Microsoft researchers have recently discovered details of an evasive year-long social engineering campaign wherein the operators kept changing their obfuscation and encryption mechanisms every 37 days on average, including relying on Morse code, in an attempt to cover their tracks and surreptitiously harvest user credentials. Quite ingenious. The phishing attacks take the form of invoice-themed lures mimicking financial-related business transactions, with the emails containing an HTML file ("XLS.HTML"). The ultimate objective is to harvest usernames and passwords, which are subsequently used as an initial entry point for later infiltration attempts.[2]
Stack Overflow Teams - Microsoft compared the attachment to a "jigsaw puzzle," noting that individual parts of the HTML file are designed to appear innocuous and slip past endpoint security software, only to reveal its true colors when these segments are decoded and assembled together. The company did not identify the hackers behind the operation. This is like spy level analysis. Nice work Microsoft. "This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving," Microsoft 365 Defender Threat Intelligence Team said in an analysis. "The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments.
Opening the attachment launches a browser window that displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. The dialog box shows a message urging the recipients to sign in again due to reasons that their access to the Excel document has purportedly timed out. In the event the user enters the password, the individual is alerted that the typed password is incorrect, while the malware stealthily harvests the information in the background.
Prevent Data Breaches - The campaign is said to have undergone 10 iterations since its discovery in July 2020, with the adversary periodically switching up its encoding methods to mask the malicious nature of the HTML attachment and the different attack segments contained within the file.
Microsoft reported it detected the use of Morse code within February and May 2021’s attack waves, while later variants of the phishing kit were found to direct the victims to a legitimate Office 365 page instead of showing a fake error message once the passwords were entered.
"Email-based attacks continue to make novel attempts to bypass email security solutions," the researchers said. "In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions.
At Red Sky Alliance, we can help cyber threat teams with services beginning with cyber threat notification services, and analysis. Our analysts are currently monitoring and collecting on 60+ dark web forums, 20 ransomware forums, 49 forums and marketplaces: of which 25 are forums [info only] and 24 are marketplaces [stolen data]. We can help protect all levels of a company to avoid any network disruptions. Our analysts are currently monitoring for these type TTP’s in the underground.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] http://www.unit-conversion.info/texttools/morse-code/
[2] https://thehackernews.com/2021/08/hackers-spotted-using-morse-code-in.html
Comments