Attackers Change Their Code Obfuscation Methods More Frequently
Microsoft spotted a campaign that changed its encoding mechanism at least 10 times in the past year to evade detection — even using Morse code as one method.
August 16, 2021
Attackers are increasingly changing up the techniques used to obfuscate what their software is doing, with one group hiding parts of their code using a variety of techniques swapped out every 37 days on average.
In an analysis posted last week, researchers at the Microsoft 365 Defender Threat Intelligence Team tracked one cybercriminal group's phishing campaign as the techniques changed at least 10 times over the span of a year. The campaign, dubbed XLS.HTML by the researchers, used plaintext, escape encoding, base64 encoding, and even Morse code, the researchers said.
Changing up the encoding of attachments and data is not new, but highlights that attackers understand the need to add variation to avoid detection, the Microsoft researchers said.
"This phishing campaign is unique in the lengths attackers take to encode the HTML file to bypass security controls," the researchers stated. "Regular updates of encoding methods prove that the attackers are aware of the need to change their routines to evade security technologies."
Microsoft's research is not the first to identify the extensive use of obfuscation. Such techniques are as old as malware itself, but more recently, attackers are switching up their obfuscation techniques more frequently. In addition, increasingly user-friendly tools used by cybercriminals intent on phishing make using sophisticated obfuscation much easier.
Messaging security provider Proofpoint documented seven obfuscation techniques in a paper published five years ago, and even then, many of the obfuscation techniques were not new, the company said. At the time, however, attackers were already in the process of incorporating the techniques into tools to make scrambling data easier.
"[W]hile many of the obfuscation techniques we have examined here are extremely sophisticated, they are often being incorporated into phishing kits, meaning that even inexperience cybercriminals can now stage attacks and build landing pages with commodity tools," Proofpoint stated in the paper.
Obfuscation is a dual-use technology: The technique is widely used by legitimate software to hide secrets and intellectual property from prying eyes, but is also used by cybercriminals to make malicious functionality more difficult to detect and block. Proofpoint detected attackers using encrypted Web pages, base64 techniques, XOR encoding, and custom techniques, the company stated in its paper.
Microsoft's more recent paper detected base64 encoding, escape encoding, different forms of text encoding—such as ASCII, UTF-16—and plaintext HTML.
Security services firm GoSecure analyzed an obfuscation-as-a-service site aimed at Android applications and found that the obfuscation did not completely evade detection. While the obfuscation, overall cut in half the number of antivirus scanners on VirusTotal that detected the scrambled malware, in some cases the obfuscation made the malware more likely to be classified as malicious.
While cycling obfuscation has become popular, groups often have a favored technique—preferred to the extent that it even serves as a way of attributing attacks, says Jérôme Segura, director of threat intelligence at Malwarebytes, an anti-malware firm.
"Obfuscation is almost a form of art only bound by the creativity and time an attacker wants to spend on it," he says. "As most obfuscation techniques will eventually be figured out, it can be more efficient for malware authors to stick with one main implementation but make small changes to it constantly."
Multiple Layers
In the most recent analysis penned by Microsoft, the detected attacks consisted of a spearphishing e-mail that included an attachment that looked like an HTML document. The page would bring up an image of a blurred Excel document with a login dialog box.
"The dialog box prompts the user to re-enter their password, because their access to the Excel document has supposedly timed out," Microsoft stated. "However, if the user enters their password, they receive a fake note that the submitted password is incorrect. Meanwhile, the attacker-controlled phishing kit running in the background harvests the password and other information about the user."
With attackers able to cycle through different types of obfuscation quickly, defenders need to be more agile to keep up, Microsoft added. With the types of encoding changing so quickly—and with the obfuscation applied to different parts of the attack chain—attacks may have a better chance of bypassing some security software.
"In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript," the company said. "Multilayer obfuscation in HTML can likewise evade browser security solutions."
About the Author
You May Also Like