Researchers from Mandiant have developed a novel method that gets beyond the isolation features of contemporary browsers. The attacker encodes orders as a graphically displayed QR code on a webpage rather than embedding them in HTTP answers. The QR codes might return to the client request because browser isolation requests do not remove a webpage's visual display. A headless client run by malware that has already infected the device serves as the "victim's" local browser in Mandiant's study. It reads the obtained QR code and decodes it to obtain the instructions.

Mandiant's proof-of-concept integrates the implant using Cobalt Strike's External C2 capability, an often misused pen-testing kit, to show how to target the most recent version of the Google Chrome web browser. Although the proof of concept demonstrates the attack's viability, the method isn't perfect, particularly when taking practical application into account.

First, the data stream can only contain 2,189 bytes, which is around 74% of the maximum amount of data that QR codes can hold. If the malware's interpreter has trouble interpreting the QR codes, the packet sizes must be further reduced. Second, since each request takes about five seconds, latency must be considered. This makes the approach unsuitable for transferring large payloads or enabling SOCKS proxying because it restricts the data transmission rates to roughly 438 bytes/sec.

Lastly, Mandiant said that their analysis overlooked several security mechanisms that may, in some situations, prevent this attack or make it ineffective, such as domain reputation, URL scanning, data loss protection, and request heuristics. Despite having a modest bandwidth, Mandiant's C2 method based on QR codes could still be harmful if left unblocked. It is therefore advised that administrators in critical systems keep an eye out for unusual traffic and headless browsers that are in automated mode.

Impact

• Security Bypass
• Code Execution
• Information Theft
• Unauthorized Access

Remediation

• Implement advanced email filtering and security solutions capable of detecting and blocking phishing emails, even those with QR codes.
• Configure email systems to block or quarantine emails containing suspicious attachments, especially those with executable files or embedded URLs.
• Educate employees about the importance of verifying the destination URL before scanning QR codes, especially in emails or messages from unknown sources.
• Encourage the use of QR code scanning apps that provide URL previews or other security features to help users make informed decisions.
• Enforce MFA for accessing sensitive accounts and systems.
• Ensure that all software, including operating systems, web browsers, and security software, is kept up to date with the latest security patches and updates to address vulnerabilities that attackers may exploit.
• Develop and maintain a comprehensive incident response plan that outlines the steps to take in the event of a phishing attack. This plan should include communication protocols, containment measures, and recovery strategies.
• Conduct regular security audits and penetration testing to identify vulnerabilities in your organization's systems and processes.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don't lose any critical information in the event of a malware infection or other data loss event.
• Utilize web filtering solutions and URL reputation services to block access to known malicious websites and prevent users from visiting potentially dangerous links.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.