Resechers find new way to insert backdoor in JavaScript code with invisible characters

Cybersecurity specialists described a new method to hide backdoors hidden in JavaScript thanks to the use of Unicode characters that are invisible or can be easily confused with other characters. This technique allows malicious code to evade detection, even during a thorough scan.

This method was inspired by a Subreddit post documenting a developer’s difficulties in identifying a syntax error resulting from an invisible Unicode character hidden in JavaScript source code. The researchers used “ᅠ” (called “HANGUL FILLER”) as its invisible Unicode character because it has the property ID_Start. These characters can appear in a JavaScript variable.

The following code snippet visualizes how the invisible character could go unnoticed by replacing the character in question with its escape sequence representation: const {timeout,  u3164} = req.query ;. A subsequent assignment retrieves the timeout and parameters “ᅠ” from req.query, and if the “ᅠ” is passed, it is assigned to the invisible variable.

Threat actors could execute arbitrary commands on the target operating system by passing the “ᅠ” parameter to the endpoint in its URL-encoded form. Wolfgang Ettlinger, of Certitude Consulting, points out that this approach cannot be detected by syntax highlighting, since invisible characters are not displayed at all and therefore cannot be identified.

On the possibility of detecting this variant of hacking in real scenarios, Ettlinger mentions that his team has not comprehensively analyzed the factors that could contribute to the mitigation of this risk or favor its exploitation, so it is not yet possible to determine what the danger is in nature.

As a possible security measure, the researcher recommends that developers protect their code from this kind of attack by prohibiting the use of non-ASCII characters. This would have no impact on their work, as non-ASCII characters are something very unusual in code development.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.