A short bootstrap script retrieves the hidden payload using a JavaScript Proxy 'get() trap.' When the hidden property is accessed, the Proxy converts the invisible Hangul filler characters back into binary and reconstructs the original JavaScript code. A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC). The obfuscated code is stored as a property in a JavaScript object, and since Hangul filler characters are rendered as blank space, the payload in the script looks empty, as shown by the blank space at the end of the image below. Each ASCII character in the JavaScript payload is converted into an 8-bit binary representation, and the binary values (ones and zeros) in it are replaced with invisible Hangul characters. "The attacks were highly personalized, including non-public information, and the initial JavaScript would try to invoke a debugger breakpoint if it were being analyzed, detect a delay, and then abort the attack by redirecting to a benign website," explains Juniper. JavaScript developer Martin Kleppe first disclosed the obfuscation technique in October 2024, and its quick adoption in actual attacks highlights how quickly new research becomes weaponized. The new obfuscation technique exploits invisible Unicode characters, specifically Hangul half-width (U+FFA0) and Hangul full-width (U+3164).
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 19 Feb 2025 20:15:10 +0000