Did you know Hackers Exploit Unicode Tricks to Conceal JavaScript Payloads in Sophisticated Phishing Campaign

 

There’s a round of phishing attacks taking place that make use of invisible Unicode characters to symbolize binary values.

The latest attack is said to target a certain PAC based in America, experts claim. The news was first shared by Juniper Threat Labs which spotted this attack. It reported more on the matter that arose during the start of January this year and made use of certain sophisticated signs such as those mentioned below.

This includes targeting victims with personalized information that’s not publicly available. Secondly, debugging breakpoints and using timing checks to remain undercover. And lastly, Postmark tracking links that obscure the last phishing destinations.

Thanks to a leading JavaScript developer who goes by the name Martin Kleppe, we know more about the obfuscation technique that arose late last year. The fact that it was adopted so quickly in real attacks just goes to show how swiftly the latest research is being used to people’s weaknesses.

The new technique exploits all invisible Unicode characters. This includes the Hangul half-width and Hangul full-width. Every character inside the JavaScript payload gets converted into 8-bit binary symbols and binary values are then removed while invisible Hangul characters are added.

Such codes are stored as a part of the JavaScript object and since this Hangul filler characters made use of blank spaces, the payload scripts appear invisible. This is usually denoted by the empty space.

Short bootstrap scripts get the hidden payloads through a proxy when the property gets accessed. The proxy converts the invisible fillers into binary digits to give rise to the actual JavaScript code.

The attackers are very sophisticated and make use of additional measures to ensure their tracks remain hidden. This also makes use of anti-bugging checks to prevent any kind of analysis.

Every attack is very precise and personalized including data that’s not available publicly. Delays get detected and then attacks are aborted by redirecting them to benign websites. All attacks are hard to detect as the empty spaces reduce the probability that a security scanner would flag it as dangerous.

Such payloads might be injected inside real scripts without raising doubts. Additionally, the whole encoding ordeal is simple to use and does not need any additional knowledge. Two domains used in the campaign were linked in the past to the Tycoon 2FA phishing kit. If that’s true, we’re bound to see the invisible method be used by a larger number of attackers soon.