Invisible Unicode leveraged in sophisticated phishing campaign

BleepingComputer reports that malicious actors compromised a U.S. political action committee's affiliates in an advanced phishing attack campaign that leveraged invisible Unicode characters to conceal the JavaScipt payload.

Aside from utilizing Hangul half-width and full-width characters to hide malicious code in a blank space that could be retrieved using a 'get()trap' JavaScript proxy, threat actors have also adopted base64 encoding and anit-debugging measures to further bypass analysis and detection systems, according to a report from Juniper Networks. Such intrusions, which involved a pair of Tycoon 2FA phishing kit-linked domains, "were highly personalized, including non-public information, and the initial JavaScript would try to invoke a debugger breakpoint if it were being analyzed, detect a delay, and then abort the attack by redirecting to a benign website," said Juniper Networks, which noted that the invisible obfuscation technique could gain more traction among cyber attackers due to its stealthiness and ease of implementation.