A study that analyzed more than 10,000 samples of a wide variety of malicious software written in JavaScript found that approximately 26% of it is obfuscated to evade detection and analysis.
In the world of cyber-attacks, where every millisecond counts in the ongoing struggle between cybercriminals and defending forces, the use of limited resources plays a critical role.
As the scale of malware and phishing threats continues to grow, obfuscation will require more time and resources, which may result in missed detections, making attacks more effective and valuable to cybercriminals.
Obfuscation is the transformation of easily understandable source code into confusing code that is difficult to understand, even though it works as intended, and threat groups commonly use obfuscation to make malicious scripts difficult to analyze and to circumvent security software
Obfuscation can be achieved in a variety of ways, including injecting unused code into scripts, splitting and concatenating code, using hexadecimal patterns, and using tricky overlaps in function and variable names.
Obfuscation on the rise
Akamai researchers analyzed 10,000 JavaScript samples, including malware droppers, phishing pages, fraud tools, Magecart snippets, cryptominers and more.
We found that at least 26% of them use some form of obfuscation to evade detection, and the adoption of this basic and effective technique is increasing.
Many of these obfuscated examples are bundled by the same packer, so the code structure looks similar even if the functionality is different.
Akamai will be presenting more details at the upcoming SecTor conference about how it is focusing its detection efforts on the pack technology, rather than the file code itself.
Actually good site also used
But not all obfuscation is malicious and nasty; the report found that of the 20,000 top-ranked websites on the web (according to Alexa), about 0.5% also use obfuscation techniques.
These cases are attributed to the following.
- The website is trying to hide some of its client-side code functionality from competitors
- The JavaScript snippets used are obfuscated by a third-party provider
- Sensitive information like email addresses need to be kept out of the public eye
As you can see, the mere fact that it is obfuscated is not enough to detect malicious code, we need to correlate it with further malicious functionality.
This mix with legitimate deployment makes it difficult to detect dangerous code, and is why obfuscation is so prevalent in threat groups.
Comments