• Infosec In the City (IIC)

SINCON 2021 Conference — JavaScript Obfuscation: It's All About the P-a-c-k-e-r-s — by Or Katz

SINCON 2021 Conference — Deep-Tech Talk

Day 2 (06 Nov 2021) 11.00am—11.45am @ Main Room

JavaScript Obfuscation: It's All About the P-a-c-k-e-r-s

Abstract

The usage of JavaScript obfuscation techniques have become prevalent in today’s threats, from phishing pages to Magecart, and supply chain injection to JavaScript malware droppers all use JavaScript obfuscation techniques on some level.


The usage of JavaScript obfuscation enables evasion from detection engines and poses a challenge to security professionals, as it hinders them from getting quick answers on the functionality of the examined source code.


Deobfuscation can be technically challenging (sometimes), risky (if you don’t know what you are doing), and time-consuming (if you are lazy, as I am). Yet, the need to find and analyze high scaled massive attacks using JavaScript obfuscation is a task I’m faced with on a daily basis.


In this presentation I will present a lazy, performance cost-effective approach, focusing on the detection of JavaScript packer templates. Once combined with threat intelligence heuristics, this approach can predict the maliciousness level of JavaScript with a high probability of accuracy.


In addition to the overview of what I’ve developed, I’ll share the techniques used, as well as source code needed to create a representation of JavaScript by using AST parsing, obfuscation pattern matching, and the machine learning techniques involved.


About Or Katz

OR KATZ is a security veteran, with years of experience at industry-leading vendors, currently serves as a principal lead security researcher for Akamai. Katz is a frequent Speaker in security conferences and published numerous articles, blogs and white papers on threat intelligence and defensive techniques. A data-driven security researcher that is constantly looking at how to move security challenges into the science and solutions space.

65 views0 comments