A threat actor has been using an unusal means of encoding a malicious payload in HTML document: morse code. Samples of malicious phishing emails doing the rounds show phishing emails with a HTML file attached named so as to appear to be an Excel file, for example acme_invoice102.xlsx.html.
When the attachment is opened up in a text editor, you can see a function stolen from a user on the StackOverflow forum, used here to obfuscate malicious code:
function decodeMorse(morseCode) {
var ref = {
'.-': 'a', '-...': 'b', '-.-.': 'c', '-..': 'd', '.': 'e', '..-.': 'f', '--.': 'g', '....': 'h', '..': 'i', '.---': 'j', '-.-': 'k', '.-..': 'l', '--': 'm', '-.': 'n', '---': 'o', '.--.': 'p', '--.-': 'q', '.-.': 'r', '...': 's', '-': 't', '..-': 'u', '...-': 'v', '.--': 'w', '-..-': 'x', '-.--': 'y', '--..': 'z', '.----': '1', '..---': '2', '...--': '3', '....-': '4', '.....': '5', '-....': '6', '--...': '7', '---..': '8', '----.': '9', '-----': '0',
};This novel technique was used to obfuscate URLs to malicious JavaScript files stored on cooljab.jp servers, helping avoiding detection by email scanning security products.
Strictly speaking, there’s no reason the dots and dashes couldn’t have been replaced with any groups of letters, numbers or symbols so we get the feeling this was likely someone nerding-out a little.
