Phishers Use Morse Code to Hide Malicious URLs

Journalists from Bleeping Computer discovered information on Reddit about a new phishing campaign that uses Morse code to obfuscate and hide malicious URLs in email attachments. While investigating, the publication’s experts found numerous samples of such disguised malware uploaded to VirusTotal in February 2021.

How the Attack Works

The phishing attack starts with an email disguised as an invoice, containing an attachment named in the format “[company_name]_invoice_[number]._xlsx.hTML”. This HTML attachment is designed to look like an Excel invoice.

When viewing the attachment in a text editor, you can see that it contains JavaScript that maps letters and numbers to Morse code. For example, the letter “a” is represented as “.-”, and the letter “b” as “-…”.

The script calls a decodeMorse() function to decode the Morse code into hexadecimal, and the resulting hexadecimal string is then converted into JavaScript tags, which are inserted into the HTML page.

Deceptive Techniques Used

These scripts, combined with the HTML attachment, include various resources needed to display a fake Excel file. The user is told that their session has supposedly expired and is prompted to enter their password again. If the user enters their credentials into the provided form, the information is sent to a remote site controlled by the attackers.

The report notes that the scammers use the logo.clearbit.com service to insert the recipient company’s logo into the login form, making it appear more convincing. If the logo is unavailable, a generic Office 365 logo is used, as shown in the screenshot below.

Targeted Companies

According to the publication, at least eleven companies have already been targeted by these attacks, including:

• SGS
• Dimensional
• Metrohm
• SBI (Mauritius) Ltd
• NUOVO IMAIE
• Bridgestone
• Cargeas
• ODDO BHF Asset Management
• Dea Capital
• Equinti
• Capital Four