Around 26% of Nasty JavaScript Threats are Complicated

Around 26% of Nasty JavaScript Threats are Complicated

From the investigation, we analyzed that over 10,000 samples of different malicious software written in JavaScript concluded that roughly 26% of it is complicated to avoid the detection and analysis.

Obfuscation is when easy-to-understand source code is converted into a hard-to-understand and complicating code that still operates as intended. Attackers are commonly using obfuscation to make it harder to examine malicious scripts and to avoid the security software.

Complications can be achieved through various means like the insertion of unutilized code into a script, the breaking and connecting of the code (splitting it into unconnected chunks), or the utilization of hexadecimal patterns and complicated overlaps with the function and variable naming.

Deceptions are on the Progress

Security researchers have examined the 10,000 JavaScript samples consisting of the malware more solid, phishing pages, scamming tools. Magecart snippets, crypto miners, etc.

At least 26% of them use some form of obfuscation to avoid detection, showing an uptick in the adoption of this basic yet effective technique. Almost all of these obfuscated samples come to have the same code because they were gathered by the same packers, so their code structure looks similar even if the function is different.

Around-26-of-Nasty-JavaScript-Threats-are-Complicated-image1

Investigators are planning to present more information about how they are focusing their detection efforts on the packing techniques instead of the file code itself in the coming SecTor conference.

Favorable Sites also Utilized It

Not all of the obfuscation is malicious or complicated. As the investigation report explains, around 0.5% of the 20,000 top-ranking websites on the web (as per Alexa), also utilized obfuscation tactics.    

These can be applied to the following:

  • Websites are trying to obscure some of their client-side code functionality from competitors.
  • The JavaScript snippets they’re using were obfuscated by a third-party provider.
  • Critical information like email addresses needs to be hidden from public view

As such, analyzing the malicious code based on the fact that it is obfuscated is not enough on its own, and moreover, correlation with malicious functionality requires being generated.

This mixing with legitimate deployment is precisely what makes the detection of risky code challenging, and the reason why obfuscation is becoming so widespread in the threat landscape.

Leave a Reply