A phishing campaign uses morse code to hide malicious URL

Obfuscation is a commonly used technique by malware authors to render their code unreadable to prevent easy interpretation of the program that might give clues on their intent or behavior. This week, the Sonicwall Capture Labs Research team has analyzed a phishing email attachment that uses morse code to hide malicious scripts and URLs within the file.

Infection Cycle

The malicious file comes as a spam email attachment pretending to be an invoice and uses the following filename:

• <random>_invoice<random>.xlsx.html

It pretends to be an excel spreadsheet and upon execution it displays a fake session timeout error message for Office365 which then requires you to login and type in your password. This login information is sent to a remote server and the user is then redirected to a page with another fake error message.

This html file uses morse code to hide malicious URLs within the file.

It uses javascript to map the alpha-numeric characters to the dots and dashes in morse code. The decoded value is a hex string which further decodes to another nested script which loads another javascript hosted on a remote server.

These two URLs are the main files for this phishing campaign. The first one loads a css file as shown below.

While the second loads the main html page with the icons, images used and fake session time out message display prompting the user to login. This html page shows the remote server where stolen login information are then sent once the user types in his login information.

The remote server tanikawashuntaro dot com appears to be a compromised legitimate website.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Morse.PH (Trojan)