In an overwhelming environment of threats, such as phishing and web scamming, time and resources play a significant role in detection, mitigation, and prevention. Therefore, such evasion techniques are key, as they give the scammers the opportunity to stay under the radar and avoid being seen.
In this blog, we'll review some of the most prevalent evasion and obfuscation techniques being used in the wild based on numerous phishing websites Akamai has been able to track over the last few months.
Content Escaping - URL Encoding
The "unescape()" function computes a new string in which hexadecimal escape sequences are replaced with the character it represents, and "eval()" takes the string and checks to see if it represents an expression. If it does, then eval() will execute that expression.
Fig. 1: An example for phishing page obfuscated with eval() and unescape()
This technique is not considered a highly sophisticated evasive technique. Yet, without rendering the page and evaluating the content, it will be hard to determine that the web page is malicious. Both the "eval()" and "unescape()" functions are being used by many benign websites, and are not enough on their own to indicate malicious activity.
In Figure 2, a custom function spotted in the wild takes base64 input and uses the array.prototype.map call to split the string to an Array, and use another custom function to run on each char adding '%' + '00', change "char" to ASCII and strip '00' again, to eventually run decodeURIComponent() on the entire output.
Fig. 2: An example for page obfuscated with decodeURIComponent()
Content Escaping - Base64
Another common way to obfuscate content on a page is to use base64 encoding. Base64 encoding is often used on websites to transform binary data to an ASCII representation of the data. A legitimate and common use of base64 is to include embedded images content on an HTML page.
In the context of phishing and web scamming, base64 obfuscation is used to hide content as a base64-encoded data object. An example of this is seen in Figure 3, where we can see an HTML object being loaded from a "data:text/html;base64," data type, and rendered in HTML. The rendering is shown in Figure 4.
Fig. 3: Base64 decoded object
Fig. 4: Rendered page out of base64 object
Fig. 5: Base64 decoding - atob function
One notable observation about some of those XOR functions, such as the one presented in Figure 6, is that it is being customized each time it's used by changing function name, payload delimiter value, and encryption key padding. The usage of that kind of customization ensures it will be harder to detect the phishing or web scamming page via a static detection, such as text based signatures.
Fig. 6: customized XOR decryption functions
In some cases, we were able to see obfuscated source code that used both content escaping and XOR decryption to create an even more evasive combination not easily detected.
Content Obfuscation - Function and Variable Name
Content Obfuscation - Dead Code Injection
Content Obfuscation - Split and Concatenation of String
By splitting and concatenating the code to be obfuscated into chunks of strings and executing all kinds of manipulations on those chunks - such as array value rotations - the results are code that becomes unreadable and evasive.
Evasion and obfuscation techniques are used in a variety of legitimate use cases. For example, such measures can be used to stop someone from copying your client-side code. Therefore, the usage of evasive techniques shouldn't be considered as malicious by default.
Enterprises need to make sure that websites are protected and guarded against malicious code injection, which will help protect applications and users alike. Likewise, they need to take care to layer their defenses in a way that protects users from scam sites that leverage these techniques.