skip to Main Content

Cybercrime, Morse Code last trick to hide malicious URLs in email attachments

Bleeping Computer: Morse Code is the last trick used by cybercrime to hide malicious URLs in email attachments

Morse Code is the last trick used by cybercrime to hide malicious URLs in email attachments. It has been denounced by Bleeping Computer cybersecurity experts. The phishing attack starts with an email pretending to be an invoice for the company with a mail subject like ‘Revenue_payment_invoice February_Wednesday 02/03/2021.’ It includes an HTML attachment named in such a way as to appear to be an Excel invoice for the company. These attachments are named in the format ‘[company_name]_invoice_[number]._xlsx.hTML.’ When viewing the attachment in a text editor, you can see that they include JavaScript that maps letters and numbers to Morse code. For example, the letter ‘a’ is mapped to ‘.-‘ and the letter ‘b’ is mapped to ‘-…’.

The cybersecurity experts: This phishing campaign is highly targeted, with logos for various companies to make it more convincing

According to the cybersecurity experts, the script then calls a decodeMorse() function to decode a Morse code string into a hexadecimal string. This string is further decoded into JavaScript tags that are injected into the HTML page. These injected scripts combined with the HTML attachment contain the various resources necessary to render a fake Excel spreadsheet that states their sign-in timed out and prompts them to enter their password again. Once a user enters their password, the form will submit the password to a remote site where the attackers can collect the login credentials. This campaign is highly targeted, with the threat actor creating logos for various companies inserted into the form to make it more convincing. If a logo is not available, it uses the generic Office 365 one.

Back To Top