While most of us are preparing the switch to a new year (If it’s already the case for you: Happy New Year!), Attackers never stop and implement always new tricks to defeat our security controls. For a long time now, we have been flooded by sextortion emails. This is a kind of blackmail where someone threatens to share explicit images or videos unless the victim meets their demands. Even today, I receive regularly some of them.

Rapidly, security controls have been implemented to detect classic sentences in such emails and block them. With one condition: strings must be readable by the system in charge of detecting suspicious strings. Yesterday, I received another one that caught my eye:

If you read carefully, some characters do not look usual. Some have another form, some have a “dot” on top of them, etc.

The text contains Unicode characters that look like normal letters (especially when displayed with small fonts on a big screen):

It looks so dumb but if your security controls can't handle Unicode (and a lot of them don't), this will break classic filters. One way to access the normal text could be to make the security control decode or read it. I did a quick test with a Python script that performs OCR ("Optical Character Recognition") on the screenshot of the email:

remnux@remnux:/MalwareZoo/20241231$ cat ocr-test.py
import sys
import pytesseract
from PIL import Image

image = Image.open(‘email.png’)
extracted_text = pytesseract.image_to_string(image)
with open(‘strings.txt', 'w') as file:
   file.write(extracted_text)

remnux@remnux:/MalwareZoo/20241231$ python ocr-test.py
remnux@remnux:/MalwareZoo/20241231$ head strings.txt
Hello dear,
There is no reason to relax at all but you don’t need to panic and have to read my message carefully.
It is really important, moreover, it’s crucial for you.

Joking aside, I mean it. you don’t know who I am but I am more than familiar with you.
Probably, now the only question that torments your mind is how, am I correct?
well, your internet behavior was very indiscreet and I’m pretty sure, you know it well. So do I.

you were browsing embarrassing videos, clicking unsafe links and visiting websites that no ordinary man would visit.
I secretly embedded malware into an adult site, and you unknowingly wandered right into it. Just like a blind kitten,

Now, security controls will probably trigger some detection rules on the decoded text. However, OCR is not a perfect tool: It may misinterpret some characters and it consumes a lot of CPU. This was just a quick test.

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key