Researchers have found that many cybercriminals are using packers while authoring malicious JavaScript (JS) code to evade signature-based detection. The use of packers is one such software packaging method that compresses and encrypts code, making it unreadable and non-debuggable.

How big is the issue?

Akamai researchers studied more than 10,000 malicious JS samples for cyber threats.
  • It was found that at least 25% of samples used JS obfuscation techniques to evade detection.
  • Packers today aid in the propagation of phishing pages, malware droppers, scams, crypto-malware, and even Magecart attacks.
  • In fact, hackers injected sunburst malware using obfuscation to evade defenses against the 2020 SolarWinds attack.
  • In an early report, Akamai highlighted that phishing attacks using JavaScript obfuscation techniques rose over 70% from November 2019 through August 2020. 

A historic background

Packers evolved as an alternative to JS libraries to help developers abbreviate the number of bytes downloaded on each page in order to support richer web applications. 
  • It should be noted that some of the world's top websites contain embedded, obfuscated JavaScript due to their business compliance requirements.
  • Hackers rather saw packers as a way to dodge and bypass security checks.

An example of changing obfuscation frequently

There could be several ways of obfuscating code and wrapping malware as software packages and they cannot be limited. In August, Microsoft reported a group running a phishing campaign, dubbed XLS.HTML, and changing their obfuscation technique at least 10 times within a year. With changing techniques, authors simply repackage common attack methods to disguise their features.

Moreover, hackers have started including user-friendly tools in their phishing attempts with an intent to add more sophistication to obfuscation techniques.

Closing lines

With JavaScript, threat actors get greater flexibility to customize code and add more advanced evasive techniques. Enterprises must ensure their websites are protected against malicious code injections by actors. Additionally, layering their defenses to alert users in case they land on scam sites would be of great help.

Cyware Publisher