JavaScript Packing Found in More Than 25% of Malicious Sites

  /     /     /  
Publicated : 23/11/2024   Category : security


JavaScript Packing Found in More Than 25% of Malicious Sites


Obfuscation techniques are extremely prevalent, data shows, but they cant be used as a single indicator of compromise because legitimate websites use them.



JavaScript obfuscation continues to be a favored method among cyberattackers for sneaking past defenses to deliver a broad range of payloads. However, even a good method for flagging the presence of JavaScript packer obfuscation is not a foolproof method of detection because a small number of websites use obfuscation for legitimate purposes, too, research shows.
Or Katz, principal lead security researcher at Akamai, this week 
published a sneak peek
 into the results of research hell be presenting at the upcoming 
SecTor 2021
conference, where hell discuss what he calls a lazy but high-performance and cost-effective method for detecting common JavaScript packer templates. 
In the run-up to this talk, Katz analyzed over 30,000 benign and malicious JavaScript files. Of the 10,000 that were malicious, Katz found 26% exhibited signs and patterns of having used one of five packer functionalities profiled by his tool. They spanned a wide range of malicious file types, including malware droppers, phishing pages, cryptominer malware, and Magecart scams.
The one-in-four occurrence rate of obfuscation puts a solid number to the growing ease with which attackers apply software-packing methods to their malicious code to make it harder to read, debug, and, consequently, be analyzed and detected by cybersecurity tools.
Its obviously a widely used technique, and it is so easy to do today. There are online services where you can put in your source code and the service will create obfuscated code, Katz says. Its a challenge for us defenders because these are not text-based or hash-based files that we can easily find and detect. We have to do much more intensive work on them to better understand what really happened behind the scenes on these files.
Katz will go more in-depth at SecTor 2021 about how his tooling aids the process, though his post this week highlights how similar four widely different payload samples look when they go through the same unique packer functionality.
While packers are not anything new, Katz believes they deserve continued observation and monitoring because they still work so well for adversaries — not only to evade detection but to buy the bad guys time during attacks, as methods for analyzing and detecting these files are traditionally time-consuming.
Going over obfuscated code takes more computational resources and more human resources. In that sense, that can lead to longer life spans for these scams and higher success rates and more revenue for them, he says.
This was the drive behind the creation of his tooling and why he believes its worth the look — with the caveat, of course, that like most detection methods in security, its no silver bullet. One of the interesting findings he plans to discuss in his presentation is the fact that obfuscation is not necessarily an automatic red flag for a website.
Looking on the benign side of things, I was able to see that obfuscation is being used for legitimate websites. That surprised me a bit because I didn’t anticipate that, he says, explaining that 0.5% of legitimate websites use the technique to hide code functionality on their sites.
Digging into these, he found that obfuscation is frequently used for a number of valid reasons, including to conceal client-side functionality, hide code developed by a third-party provider, or hide sensitive information like email addresses.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
JavaScript Packing Found in More Than 25% of Malicious Sites