Using QR Codes To Issue Commands To Infected Machines

Source: Bleeping Computer Using QR Codes To Issue Commands To Infected Machines

Thankfully It’s Slow, As In 438 bytes/s

Using a QR code to infect your mobile device or really just about anything with a camera and the ability to process the codes is not new.  Unfortunately marketers never got that message and we are seeing them everywhere from restaurant menus, to the sign up process for a club, to advertising for products and services.  Security professionals have given it cute names like quishing but the vast majority of people and businesses seem to have fallen in love with them.  It will likely take a number of successful high profile attacks before the general public realizes that a QR code is not just an innocent way to open a webpage.

The latest vulnerability has been discovered by Mandiant and goes beyond breaking someones iPhone.  This attack is used to bypass browser isolation, a popular security procedure that feeds webpages through a remote machine and a render of that page to the system actually requesting the webpage.  That means any nasty HTTP buried in the site might run on the remote machine, but can’t be triggered on the local machine as it is just showing a render of what the page looks like, sans code.  However the researchers discovered they could embed QR codes on the site, which would be rendered and found a way to issue commands to the target machine.

Thankfully there are a lot of limitations to this technique which would limit it to only being able to issue commands to a machine already infected by malware, it wouldn’t be able to spread it.  The maximum theoretical payload is 2,189 bytes, assuming a perfect translation makes it to the targeted machine and that the hidden interpreter is 100% successful at translating the QR code to actual code.  As well each request takes roughly five seconds, which translates to around 438 bytes/sec which is not enough to do a lot.  It is however, a novel way to avoid browser isolation, and that is not good news.

Mandiant's proof-of-concept demonstrates the attack on the latest Google Chrome web browser, integrating the implant through Cobalt Strike's External C2 feature, a widely abused pen-testing kit.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!