A new targeted phishing campaign includes the new obfuscation technique of using Morse code to hide malicious URLs in an email attachment.
Samuel Morse and Alfred Vail invented the Morse code as a way of transmitting messages over telegraph wires. When using Morse code, each letter and number is encoded as a series of dots (short tone) and dashes (long tone).
As of last week, a threat agent started using Morse code to hide malicious URLs in their form of phishing to bypass secure email filters and gateways.
BleepingComputer was unable to find any reference to Morse code used in phishing attacks in the past, making this a new obfuscation technique
The new phishing attack in Morse code
After learning of this attack for the first time in a post on Reddit, BleepingComputer was able to find several samples of the targeted attack sent to VirusTotal since February 2, 2021.
The phishing attack begins with an email pretending to be an invoice to the company with a subject such as’ Receita_pagamento_invoice februar_quarterdo 02/03/2021.
This email includes an HTML attachment with a name that appears to be an Excel invoice for the company. These attachments are named in the format ‘[company_name]_invoice_[number]._xlsx.hTML. ‘
For example, if BleepingComputer were targeted, the attachment would be called ‘bleepingcomputer_invoice_1308._xlsx.hTML.’
When viewing the attachment in a text editor, you can see that they include JavaScript that maps letters and numbers in Morse code. For example, the letter ‘an‘is mapped to’.-‘and the letter’B‘is mapped to’-…‘, as shown below.
The script then calls a decodeMorse () function to decode a Morse code string into a hexadecimal string. This hexadecimal string is later decoded into JavaScript tags that are injected into the HTML page.
These injected scripts, combined with the HTML attachment, contain the various features necessary to render a fake Excel spreadsheet that indicates that the entry time has expired and prompts them to re-enter the password.
After a user enters their password, the form sends it to a remote site where attackers can collect login credentials.
This campaign is highly targeted, with the threat actor using the logo.clearbit.com service to insert the recipient’s company logos into the login form to make it more convincing. If a logo is not available, it will use the generic Office 365 logo, as shown in the image above.
BleepingComputer saw eleven companies targeted by this phishing attack, including SGS, Dimensional, Metrohm, SBI (Mauritius) Ltd, NUOVO IMAIE, Bridgestone, Cargeas, ODDO BHF Asset Management, Dea Capital, Equinti and Capital Four.
Phishing scams are becoming more complex by the day, as email gateways become better at detecting malicious emails.
Therefore, everyone should pay close attention to URLs and attachment names before sending any information. If something looks suspicious, recipients should contact their network administrators to investigate further.
Since this phishing email uses double extension attachments (xlxs and HTML), it is important to make sure that Windows file extensions are enabled to make it easier to find suspicious attachments.