JavaScript obfuscation continues to be a favored method among cyberattackers for sneaking past defenses to deliver a broad range of payloads. However, even a good method for flagging the presence of JavaScript packer obfuscation is not a foolproof method of detection because a small number of websites use obfuscation for legitimate purposes, too, research shows.

Or Katz, principal lead security researcher at Akamai, this week published a sneak peek into the results of research he’ll be presenting at the upcoming SecTor 2021 conference, where he’ll discuss what he calls a “lazy” but high-performance and cost-effective method for detecting common JavaScript packer templates. 

In the run-up to this talk, Katz analyzed over 30,000 benign and malicious JavaScript files. Of the 10,000 that were malicious, Katz found 26% exhibited signs and patterns of having used one of five packer functionalities profiled by his tool. They spanned a wide range of malicious file types, including malware droppers, phishing pages, cryptominer malware, and Magecart scams.

The one-in-four occurrence rate of obfuscation puts a solid number to the growing ease with which attackers apply software-packing methods to their malicious code to make it harder to read, debug, and, consequently, be analyzed and detected by cybersecurity tools.

“It’s obviously a widely used technique, and it is so easy to do today. There are online services where you can put in your source code and the service will create obfuscated code,” Katz says. “It’s a challenge for us defenders because these are not text-based or hash-based files that we can easily find and detect. We have to do much more intensive work on them to better understand what really happened behind the scenes on these files.”

Katz will go more in-depth at SecTor 2021 about how his tooling aids the process, though his post this week highlights how similar four widely different payload samples look when they go through the same unique packer functionality.

While packers are not anything new, Katz believes they deserve continued observation and monitoring because they still work so well for adversaries — not only to evade detection but to buy the bad guys time during attacks, as methods for analyzing and detecting these files are traditionally time-consuming.

“Going over obfuscated code takes more computational resources and more human resources. In that sense, that can lead to longer life spans for these scams and higher success rates and more revenue for them,” he says.

This was the drive behind the creation of his tooling and why he believes it’s worth the look — with the caveat, of course, that like most detection methods in security, it’s no silver bullet. One of the interesting findings he plans to discuss in his presentation is the fact that obfuscation is not necessarily an automatic red flag for a website.

“Looking on the benign side of things, I was able to see that obfuscation is being used for legitimate websites. That surprised me a bit because I didn’t anticipate that,” he says, explaining that 0.5% of legitimate websites use the technique to hide code functionality on their sites.

Digging into these, he found that obfuscation is frequently used for a number of valid reasons, including to conceal client-side functionality, hide code developed by a third-party provider, or hide sensitive information like email addresses.