A new targeted phishing campaign includes the new blackmail technique to use Morse code to hide malicious URLs in an email attachment.
Samuel Morse and Alfred Vail invented Morse code as a way to convey messages over the telegraph wire. When you use Morse code, each letter and number is encoded as a series of dots (short sound) and dashes (long sound).
As of last week, a threat actor has used Morse code to hide malicious URLs in their phishing form to bypass secure email holes and email filters.
BleepingComputer could not find any references to the Morse code used in phishing attacks, making it a new obscuring technique
The novel Morse code phishing attack
After first learning about this attack from a post on Reddit, BleepingComputer has been able to find numerous examples of the targeted attack uploaded to VirusTotal since February 2, 2021.
The phishing attack begins with an email pretending to be an invoice for the company with an email subject such as ‘Revenue_Payment_Invoice February_Wednesday 02/03/2021.’
This email contains an HTML attachment that is so named that it looks like an Excel invoice for the business. These attachments are named in the format ‘[company_name]_invoice_[number]._xlsx.hTML. ‘
For example, if BleepingComputer is targeted, the attachment will be named ‘bleepingcomputer_invoice_1308._xlsx.hTML’.
When you see the attachment in a text editor, you can see that it contains JavaScript that assigns letters and numbers to Morse code. For example, the letter ‘a‘mapped to’.-‘and the letter’b‘mapped to’-…‘, as shown below.
The script then calls a decodeMorse () function to decode a Morse string into a hexadecimal string. This hexadecimal string is further decoded into JavaScript tags that are injected onto the HTML page.
These injected scripts, along with the HTML attachment, contain the various resources needed to reproduce a fake Excel spreadsheet in which the login of their login is expired and they are asked to re-enter their password.
Once a user enters their password, the form will submit the password to a remote website, where the attackers can collect the credentials.
This campaign is highly targeted, with the threat actor using the logo.clearbit.comservice to insert logos for the recipient’s companies in the login form to make it more compelling. If a logo is not available, it uses the generic Office 365 logo, as shown in the image above.
BleepingComputer has seen eleven companies targeted by this phishing attack, including SGS, Dimensional, Metrohm, SBI (Mauritius) Ltd, NUOVO IMAIE, Bridgestone, Cargeas, ODDO BHF Asset Management, Dea Capital, Equinti and Capital Four.
Phishing scams get more complicated every day as email gateways get better at detecting malicious email.
As a result, everyone should pay close attention to URLs and attachment names before submitting any information. If something looks suspicious, recipients should contact their network administrators to investigate further.
Because these phishing e-mail attachments use dual extension (xlxs and HTML), it’s important to make sure that Windows file extensions are enabled to make it easier to detect suspicious attachments.