Trellix Advanced Research Center recently noticed an attack Campaign with an acute spike of phishing emails, and another campaign that has been steadily going on since early 2022 with a slight variation in its TTPs. Both campaigns use QR codes as their primary mechanism to evade detection from email security products. Phishing emails in both campaigns were mostly devoid of text URLs, which makes most email security products ineffective because they rely on readable text and URLs for detection.
Use of QR codes for phishing is not new, but there is more to these campaigns. Analysis of these campaigns revealed that malicious actors not only used QR code as a primary means of defence, but also layered evasion tactics to make these campaigns hard to detect. This blog focuses on layered evasion techniques used to evade detections by security products. We also show targeted regions and discuss additional evasion methods that may be potentially used by attackers.
Technical Details:
The following sections describe the campaigns in detail, observed email variants, URL/Host structure and additional evasions used by malicious actors.
Campaign 1: Microsoft Account phishing through QR codes – an acute spike in the phishing stream!
We noticed this campaign from mid-May 2023, wherein the email body only had text and a QR code, both in image form. The subject of the emails advised the receiver to urgently take action regarding multi-factor authentication (e.g., “2FA (Two Factor Authentication) Security Update”). Since most email security products act upon an email body comprised of only text and URL for detection, malicious actors overcame this hurdle by solely using images in the email body. These emails convey that the user needs to use a mobile phone to scan the QR code and proceed further.
Email security vendor Cofense recently about this campaign targeting a major energy company and the usage of trusted domains like bing[.]com, krxd[.]com and cf-ipfs[.]com to redirect users to phishing sites.
During our analysis we found that besides exploiting the trusted domain relationship, malicious actors also used typo-squatted domains like mcwrssoft[.]co and logln-0nline-nnicrosoift3[.]com. We found the campaign to be very widespread, targeting almost all sectors like Fuel & Energy, Finance & Banking, Telecommunications, IT & Software, Healthcare, Transport, and Manufacturing.
Methods of Evasion Used by the Malicious Actor
The evasion techniques used by different campaigns vary in complexity and sophistication. Some campaigns employ multiple layers of evasion, while others rely on one. Below are common patterns of evasion that these campaigns use to evade detection and analysis.
Layer 1: Redirection of the Call To Action (CTA) URL
The observed QR codes primarily use redirection from a legitimate domain e.g.: i6x[.]net, cloudflare-ipfs[.]com, amazonaws[.]com, bliflax[.]com, etc. The Landing Pages were often hosted on newly created Domains.
We also observed that in some instances, the qr[.]codes domain was used. The attackers can track the number of times that these QR codes were scanned.
Layer 2: Cloudflare Anti-Bot Mechanism Check
We also saw QR code URLs that leverage Cloudflare anti-bot features. This implementation of Cloudflare is provided for free after signing up and threat actors abuse this.
It performs various checks like “window._phantom”, “window.Buffer”, “navigator.userAgent”, etc. If any of these checks pass, the code will not proceed further, and it would redirect to the failed page.
Layer 3: Captcha Evasion
The URLs can employ another layer of evasion by using a Click Captcha mechanism. This makes it difficult for detection engines to scan the URL, as they require a user interaction. The captcha does not have to be a genuine one; it is only a means of evading automated analysis.
Campaign 2: Fake Chinese subsidy campaign – still a steady horse in the phishing stream!
We have been tracking another QR code phishing campaign since early 2022, where the QR code is either embedded in the email body or is present in a document attachment. Once the QR code is scanned by the user, they are redirected to a “China UnionPay” credit card phishing site. The attacker uses many evasion techniques while redirecting the user to the phishing site as a layered defence. This section discusses those evasions.
Throughout the campaign thus far the modus operandi has remained the same: i.e., Email lures mentioning Chinese Government Subsidies from Ministry of Finance. The email lures mostly come in the form of Chinese Government subsidies where the potential victim is asked to scan for a QR code to get the benefit.
This campaign has been reported by a few security vendors, and this section sheds light on how this campaign has managed to be active for so long and lists the recent changes in their TTPs. What makes this QR code phishing technique unique is that it bypasses most email security products/vendors, as mentioned in the previous campaign. Here too, the emails neither have phishing URL(s) nor have any sort of phishing text that would be detectable and actionable by most email security products.
In past reports, attackers were said to use MS Word documents containing a QR code. Recently however, we found email samples without attachments. Instead, the QR code was directly embedded in the email and didn’t have any actionable text mentioned in the email body.
The lure text includes “National Security Public Service Platform” from Ministry of Finance. According to the email headers, the email was sent from ChinaNet’s ISP (AS 4134) bearing IP address 49[.]64[.]71[.]178 and was likely composed on one of the popular mail user agents (MUA) Foxmail 7.2.25.179[cn].
Upon scanning the QR code, the user would be redirected to ffrtd[.]sbs. Further digging into the domain and its infrastructure, we discovered similar domains (mentioned in the IOCs section).
After following this campaign from Feb 2022, we noticed an elaborate layer of evasion techniques.
Layer 1: Obfuscation in the CTA URL Page
Upon scanning a QR code in an email, the victim is sent to the CTA URL. This page is commonly obfuscated by jsjiami[.com], a popular tool in mainland China.
Note that the de-obfuscated code attained by decrypting data using the CryptoJS library code string in the “to-data” property contains the str, key and iv for decryption.
The victim is then redirected to the “Landing Page” page. This URL is typically in the form of “
For example, if the QR code scanned gets “domain1.sbs”, then the redirected page would be in the form of “e85fe7e7aa21ab4984fbac1e577f7a57.domain2.sbs”.
We can note that the attacker has limited multiple page refreshes during the session. By limiting refreshes, the malicious actor ensures that the landing page’s content remains stable, and that the user doesn’t notice any unusual behaviour while the malicious code carries out its intended actions, including making the AJAX call.
The AJAX POST request is made for getTemplateData.php. If the request succeeds, then a cookie is set, additional objects are fetched, and upuserId and template keys are set for the session, based on the data returned by getTemplateData.php. If the request fails with response code as 5, then the system maintenance page systemMaintenance.html is shown and the openingTime key is set based on the response data.
Layer 2: Screen Resolution & Web Cookies Check
Jump.js, which is part of “Landing Page”, checks if the device’s user agent is for a smart phone. It further checks for the screen resolution having height less than or equal to 1000 pixels and width less than or equal to 800 pixels.
The main task of “getCookie.js” referenced in the “Landing Page” is to set the user cookie through the userSetCookie() function and get the decoded URI through userCookie().
It is worth noting that the expiry of the DOM cookie is set to a very high value: i.e., more than a year. Though not being used over “Landing page”, we are not sure why the attacker uses such a long-lasting cookie. One possibility is that they may look for it in a future campaign to track their targets.
The jsconfig.js script configures the “config.Config.httpPath” property, which is defined in “Landing Page”. This is usually the path to the host name for the attacker’s API, which starts with “api.
The PHP script getTemplateData.php acts as one of the important API endpoints for this phishing campaign. It returns data in JSON format depending on the request made to the attacker’s server.
As we can see from Figure 13, getTemplateData.php responds with “code”, which is a successful response (response code 0), along with other fields such as “content”, “buttonName”, “title”, “url”, “uid”, “userId”, “socketUrl” and “customerServiceUrl”.
Apart from “title”, “content”, and “buttonName”, which is rendered in the browser, there are other fields such as “url”, which is set to “html/subsidy/index.html”, “uid” and “userId” set to alphanumeric values, “socketUrl” set to “
Layer 3: Regional Timing Checks
If a request to getTemplateData.php is made outside of working hours in China, the response code served is 5 and, in this case, the systemMaintenance.html page is served.
It roughly translates to “System Upgrade/Maintenance” and mentions opening time on “July 15, 2023 07:00”. The request was made exactly at 3:34 P.M. UTC, or 11:34 P.M. Beijing, China time. Another instance we observed was for 2:49 P.M. UTC and we yet again got a similar response. This indicates the likelihood that the campaign specifically targets Chinese individuals as it operates during China daytime.
The remote.js javascript is obtained from the “get Template Data.php” response is usually hosted on a different domain. The main purpose of this script is to send snapshots/images and mouse interaction data to the server via WSS (WebSocket Secure Protocol). The snapshot functionality is provided by the “html2canvas” library.
The “SendscreenImg” function captures a screenshot of the content inside an
Lastly, the setcurrentPage.js script is used mainly to set conditions for “setcurrentPage.php”. Having said that, this script is loaded by the HTML page to which the user is redirected by remote.js. The page’s path would usually be “/html/subsidy/index.html”.
Covered By: NCN MAGAZINE / Trellix
If you have an interesting Article / Report/case study to share, please get in touch with us at [email protected] [email protected], 9811346846/9625243429.
The post Peeling off QR Code Phishing Onion, Revealing the Hidden Layers of Deceit – Trellix appeared first on NCNONLINE.
