Morse code helps cybercriminals evade detection
XLS.HTML phishing campaign used a variety of novel tactics to avoid detection
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Microsofthas released new details on aphishing campaignwhich employed evolving tactics including the use ofMorse codeto evade detection.
During the year-long investigation carried out by researchers fromMicrosoft Security Intelligence, the cybercriminals behind the campaign changed obfuscation and encryption mechanisms every 37 days on average to avoid having their operation detected.
The campaign itself used an invoice-themed XLS.HTML attachment divided into several segments including theJavaScriptfiles used to steal passwords which are then encoded using various mechanisms. Over the course of Microsoft’s investigation, the attackers went from using plaintext HTML code to using multiple encoding techniques including some older and unusual encryption methods like Morse code to hide these attack segments according to a newblog post.
To avoid detection further, some of the code segments used in the campaign were not even present in the attachment itself and instead resided in a number of open directories.
Fake payment notices
This XLS.HTML phishing campaign usessocial engineeringto create emails that mimic the look of financial-related business transactions in the form of fake payment notices.
The campaign’s primary goal iscredential harvestingand while it originally harvested usernames and passwords, in its more recent iteration it has also started collecting other information such as IP addresses and locations which the cybercriminals behind it use as the initial entry point for later infiltration attempts.
Although XLS is used in the attachment file to prompt users to expect an Excel file, when the attachment is opened it launches abrowserwindow instead that takes potential victims to a fakeMicrosoft Office 365login page. A dialog on the page prompts users to login again as their access to the Excel document has supposedly timed out. However, if a user does enter their password, they will then receive a fake note saying that the submitted password is incorrect while an attacker-controlled phishing kit running in the background harvests their credentials.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
What sets this campaign apart is the fact that cybercriminals behind it went to great lengths to encode the HTML file in such a way to bypass security controls. As always, users should avoid opening emails from unknown senders especially when they require them to login into an online service to access a file or request that they enable macros.
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
This dangerous new malware is hitting Windows devices by hiding in games
Windows PCs targeted by new malware hitting a vulnerable driver
Steps to take when your phone number is publicly listed online
