A new study of over 10,000 malicious JavaScript samples, over 25% of the samples analyzed use JavaScript obfuscation methods to prevent detection and analysis.

Obfuscation is a powerful technique used by hackers and security teams all over the world. Both parties use it for different reasons, but their goal is the same: to make the source code indecipherable, hard to understand, and interpret and bypasses Security solutions easily

Frequent obfuscation methods include:

  • Instruction pattern transformation;
  • Metadata or unused code removal;
  • Subroutine reordering
  • Dummy code insertion;
  • String encryption;
  • Code transportation

Akamai technologies have examined more than 10.000 malicious JavaScript samples including malware droppers, phishing pages, scammers, and cryptominers’ malware. More than 25% of the analyzed samples employ JavaScript obfuscation methods to avoid exposure. Since bundled by same packers their code seems to be similar and functions are different.

Research that will be presented at the SecTor 2021 conference introduces a technique that profiles the unique functionality of packers to detect JavaScript prior to it being obfuscated, regardless of the original code. That way, any JavaScript code that represents a threat like phishing, malware droppers, or scammers will be detected based on the techniques the packer introduces.

According to the report, additional investigation reveals that the technique being used is the result of various legitimate scenarios, including:

  • Websites that are attempting to hide some of their client-side code functionality;
  • Code that was obfuscated by a third-party provider;
  • The obfuscation of confidential data such as email addresses.

This evidence makes the difficulties in identifying malicious JavaScript easier to understand, as obfuscation alone does not imply the existence of malicious code.To identify the obfuscation ML is required to distinguish the scripts.