4/2/2023 0 Comments Email obfuscator asciiThe link to the JavaScript file was encoded in ASCII while the domain name of the phishing kit URL was encoded in Escape. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code. Links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile, the user mail ID and the organization’s logo in the HTML file were encoded in Base64, and the actual JavaScript files were encoded in Escape 3.Use of Morse code The two links to the JavaScript files were encoded together in two steps-first in Base64, then in ASCII. Logo-obtained from third-party sites-and the link to the phishing kit were encoded using Escape 2.Hosting of segments on third-party sites and multiple encoding mechanisms Mecanismos identificados por Microsoft 365 Defender Threat Intelligence Team: 1.Transition from plaintext HTML to encoded segments Obfuscation and encryption mechanisms change every 37 days on average. ![]() The change in patterns demonstrates that attackers are aware of the need to change their routines to evade security technologies. From plaintext to Morse code: A timeline of frequently changing attack segment encoding Sample of fake credentials stolen dialog box with a blurred Excel image in the background. In some of the emails, attackers use accented characters in the subject line. The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. XLS.HTML phishing campaign: Fake payment notices are effective tool for attackers to steal credentials To defend organizations in a fast and cost-effective way, Synergy advisors has launched Email Protection E-Suite Discovery Offering, where certified experts and unique E-Suite and Microsoft solutions provide findings and action plans to protect against the latest threats. Multilayer obfuscation in HTML can likewise evade browser security solutions. Such details enhance a campaign’s social engineering lure and suggest that a prior reconnaissance of a target recipient occurs.Įmail-based attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. As previously noted by Microsoft Defender Threat Intelligence Team, the campaign components include information about the targets, such as their email address and company logo. This campaign’s primary goal is to harvest usernames, passwords, and-in its more recent iteration-other information like IP address and location, which attackers use as the initial entry point for later infiltration attempts. Instead, they reside in various open directories and are called by encoded scripts. Some of these code segments are not even present in the attachment itself. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments. ![]() Obfuscation and encryption mechanisms change every 37 days on average This Phishing Campaigns exemplifies the modern email threat: Cybercriminals attempt to change tactics as fast as security and protection technologies do. The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. However, if encountered elsewhere, it should, according to Unicode, be treated as a "zero width no-break space".Modern Phishing Campaigns are sophisticated, evasive, and relentlessly evolving. According to that Wikipedia page:Ĭharacter U+FEFF is intended for use as a Byte Order Mark (BOM) at the start of a file. In this case, it's using "zero-width no-break space" characters (U+FEFF, aka ZWNBSP or BOM, represented in UTF-8 as 0圎F 0xBB 0xBF, which Unicode has deprecated in favor of word joiner, U+2060). Quoted-printable is particularly useful for when the content is mostly ASCII, so for example Chris España could be encoded as =?UTF-8?Q?Chris Espa=F1a?= rather than base64's longer and less human-legible =?UTF-8?B?Q2hyaXMgRXNwYcOxYQ=?=Īs discussed in the comments and the other answer, this is an obfuscation technique. ![]() ![]() This is formatted like =?CHARSET?ENCODING?CONTENT?= This is called quoted-printable formatting and it is required in email because RFC 5322 (.eml, originally RFC 822) explicitly allows only ASCII characters, so RFC 2047 presents an "ASCII-armor" (to borrow a term from PGP) format to encode non-ASCII text as either quoted-printable or base64.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |