Cyber Security

JavaScript Packing Found In More Than 25% of Malicious Sites

JavaScript obfuscation continues to be a favored method among cyberattackers for sneaking past defenses to deliver a broad range of payloads. However, even a good method for flagging the presence of JavaScript packer obfuscation is not a failproof method of detection because a small number of websites use obfuscation for legitimate purposes, too, research shows.

Or Katz, principal lead security researcher for Akamai, this week published a sneak peek into the results of research he’ll be presenting at the SecTor 2021 conference that will unveil what he calls a ‘lazy’ but high-performance and cost-effective method for detecting common JavaScript packer templates. In the run-up to this talk, Katz analyzed over 30,000 benign and malicious JavaScript files.

Of the 10,000 malicious files, Katz showed 26% exhibited signs and patterns of having used one of five packer functionalities profiled by his tool. They spanned a wide range of malicious file types including malware droppers, phishing pages, cryptominer malware, and Magecart scams.

The one-in-four occurrence rate of obfuscation puts a solid number to the growing ease with which attackers apply software packing methods to their malicious code to make it harder to read and debug, and consequently, harder for cybersecurity tools to analyze and detect.

“It’s obviously a widely used technique and it is so easy to do today. There are online services where you can put in your source code and the service will create obfuscated code,” says Katz. “It’s a challenge for us defenders because these are not text-based or hashed-based files that we can easily find and detect. We have to do much more intensive work on them to better understand what really happened behind the scenes on these files.”

Katz will go more in-depth at SecTor 2021 on how his tooling aids the process, though his post this week did highlight how similar four widely different payload samples look when they go through the same unique packer functionality.

While packers are not anything new, he believes they deserve continued observation and monitoring because they still work so well for adversaries—not only to evade detection, but to buy the bad guys time during attacks, as methods for analyzing and detecting these files is traditionally time-consuming.

“Going over obfuscated code takes more computational resources and more human resources and in that sense that can lead to longer lifespans for these scams and higher success rates and more revenue for them,” he told Dark Reading.

This was the drive behind the creation of his tooling and why he believes it is worth the look—with the caveat, of course, that like most detection methods in security, it is no silver bullet. One of the interesting findings he highlighted today and will discuss in his presentation is the fact that obfuscation is not necessarily an automatic red flag for a website.

“Looking on the benign side of things, I was able to see also that obfuscation is being used for legitimate websites. That surprised me a bit, because I didn’t anticipate that,” he says, explaining that 0.5% of legitimate websites use the technique to hide code functionality on their sites.

Digging into these, he found that obfuscation is frequently used for a number of valid reasons including to conceal client-side functionality, hide code developed by a third-party provider, or hide sensitive information like email addresses.

 Source link

Back to top button
SoundCloud To Mp3