More Hackers Harness the Powers of JavaScript for Lock Picking

Cybercriminals are now increasingly using JavaScript obfuscation techniques to hide malicious code planted on websites. This technology is widely misused by multiple threat actors in various campaigns all around the world. Recently, attackers were observed hiding malicious payloads in phishing emails by using this technique.

Recent incidents

Recently, a bug was found in a software framework used by the Discord app, where the framework can be used to harness JavaScript code.
Around the same time, a scam was infecting victims with JavaScript created to spread various malware, including the Cryxos trojan.
  • A few weeks ago, a trojan distribution framework, SolarSys, was discovered to be running malicious JavaScript scripts.
  • Researchers discovered that cybercriminals can execute malicious JavaScript code on link preview shared on Instagram or LinkedIn.
  • Last month, an obfuscated pop-up script was used to leverage baidu[.]com search results to redirect users to the attacker’s domain.

Why are attackers using it?

A malicious attack using this technique can come from many sources and can be hidden in several ways. It could be used for obfuscation, redirection, URL cloaking, content escaping, and polymorphic functions—-all at the same time.

Anti-malware technique

JavaScript-based obfuscation has become more sophisticated due to the use of XOR decryption. This technique is taken from cryptography that can not be easily detected by signature-matching anti-malware methods.

Conclusion

A greater number of sophisticated attacks could be seen exploiting JavaScript-based obfuscation technique in the near future. Thus, experts suggest that if a URL seems malicious or sent from an unknown location, it should be avoided or marked as spam. Yet, organizations must consider providing basic training to employees about how such attacks can cripple their infrastructure.