Phishers Use Morse Code to Evade Detection in Credential Theft Attacks

By Ava McKinneyOnline Safety

Phishers Continue to Use Morse Code in Attacks

Microsoft experts have reported on a malicious campaign that has been ongoing for about a year. According to their data, hackers change their obfuscation and encryption mechanisms on average every 37 days, including the use of Morse code to hide their tracks and steal user credentials.

Typically, the phishing lures are disguised as invoices related to financial business operations, and the emails contain an HTML file (named “XLS.HTML”). The ultimate goal of the attackers is to collect user credentials, which are then used as a starting point for further attacks.

How the Phishing Attack Works

Microsoft compares this campaign to a complex puzzle, noting that individual parts of the HTML files appear harmless and evade security products, but are then assembled and decoded to reveal their true purpose.

“The HTML attachments are split into several segments, including JavaScript files used to steal passwords, which are then encoded using various techniques. The attackers have moved from using plain HTML code to employing different encoding methods, including old and unusual encryption techniques and Morse code, in an effort to hide parts of their attacks,” the experts wrote.

Attack Scheme

When the malicious attachment is opened, a browser window appears displaying a fake Microsoft Office 365 login prompt (over a blurred Excel document). In this window, the user is prompted to sign in again, supposedly because their access to the Excel document has expired. If the victim falls for the scam and enters their password, they receive a message saying the password is incorrect, while in reality, the malware silently steals their data.

Evolution of the Campaign

Researchers report that these attacks began in July 2020, and since then, the campaign has gone through about ten iterations, during which the attackers changed their encoding methods to disguise the malicious HTML attachments.

“Morse code is an old and unusual encoding method that uses dashes and dots to represent characters. This mechanism was used in attacks in February and May,” Microsoft wrote. “In the February iteration, links to JavaScript files were encoded using ASCII and then Morse code. In May, the domain name in the phishing kit’s URL was encoded using Escape before the entire HTML code was encoded with Morse code.”

It’s worth noting that in February of this year, the publication Bleeping Computer also warned about phishers using Morse code.

Leave a Reply