Obfuscation occurs when easy-to-understand source code is converted into difficult-to-understand, confusing code that still works as expected.
Threat actors typically use obfuscation to make it harder to analyze malicious scripts and to bypass security software.
Obfuscation can be achieved by various means such as injecting unused code into a script, splitting and concatenating the code (dividing it into unconnected chunks), or using hex patterns and delicate overlaps with the function and naming of variables.
Darkening on the rise
At least 26% of them use some form of obfuscation to evade detection, indicating a slight increase in adoption of this basic but effective technique.
Most of these obscured examples appear to have similar code because they were grouped together by the same packers, so their code structure looks similar even though the function is different.
Akamai plans to present more details on how they are focusing their detection efforts on wrapping techniques rather than the file code itself at the next SecTor conference.
Benign sites also use it
But not all cover-ups are malicious or delicate. As the report explains, about 0.5% of the 20,000 top ranked websites on the web (according to Alexa) also use obfuscation techniques.
These cases can be attributed to the following:
- Websites try to hide some of their client-side code functionality from competitors.
- Sensitive information such as email addresses should be hidden from public view.
As such, detecting malicious code based on being obfuscated is not enough on its own, and further correlation with malicious functionality must be established.
This mix with legitimate deployment is precisely what makes it difficult to detect risky code and why obfuscation is becoming so prevalent in the threat landscape.