Hackers use Morse code to hide malicious URLs in a phishing attack

Morse code – the novel obfuscation technique, that is famous for the code language for Army and security services, has been recently used in the new targeted phishing campaign. Using this technique, hackers hid the email attachment containing malicious URLs.

Recently, Morse code was used in the phishing emails to bypass email filters and secure gateways. BleepingComputer found the attack on numerous samples uploaded on 2nd February 2021 to VirusTool. The attack starts with an invoice like files that are saved as “Revenue_payment_invoice February_Wednesday 02/03/2021” containing the HTML attachment for the invoice as [company_name]_invoice_[number]._xlsx.html.

The attachment included mapped letters and numbers then calling out to the decodeMorse() function into a hexadecimal string to decode a Morse code string. The JavaScript is injected into the code containing resources to render a fake file asking users for the password allowing hackers to have the access.

This also uses the logo-clearbit.com service that puts the company’s logo on the form making it convincing. It also uses a generic Office 365 logo in case a logo is not available. Bridgestone, Dea Capital, Metrohm, SGS, SBI Ltd (Mauritius), etc. are a few names that have suffered because of this attack.

Morse code was invented by Alfred Vail and Samuel Morse as a means to transfer messages across telegraph lines that contain the code for the numbers and letters. The dashes are used for long sound and dots are used for short sounds in the morse code.