Attackers are using Morse code and other encryption methods to hide traces of their presence

Hackers use a variety of techniques to obliterate evidence of their presence in the system. On the one hand, they may implement inconspicuous communication protocols or choose to use self-removing software. But it doesn’t stop there. The 170-year-old Morse Code can also be helpful in this tactic of evasion, and Microsoft has found its trace.

Speaking of Microsoft, cybercriminals are probably interested in Office 365 credentials. The goal of the campaign is to collect usernames, passwords and – in the newer version – other information such as IP address and location. It is quite possible that we are dealing with an early reconnaissance – the collected data can be used to infiltrate and steal data in subsequent attacks.

With this new phishing campaign, attackers use multi-layered obfuscation and encryption mechanisms for known file types such as JavaScript. Multi-layer HTML obfuscation can also bypass security mechanisms built into web browsers.

The xls.HTML or xslx.HTML attachments sent with the phishing message have been split into multiple segments encoded using different methods for each segment – switching between plain HTML, escaped, Base64 characters, ASCII and Morse code. The effect of this is that they appear harmless to systems and are able to escape anti-spam filters.

Attackers also changed their encryption schemes every month to try to hide their activity, using different methods for each segment, switching between plain HTML, escaping, Base64 characters, ASCII, and just Morse.