Cyble researchers report a rising wave of QR code phishing attacks that use MS Word documents with embedded QR codes to redirect victims to credential-harvesting sites, targeting Chinese citizens with fake official notices. The campaign employs a Domain Generation Algorithm to create phishing URLs and prompts users for sensitive information such as bank details and passwords under the guise of verification. #QRCodePhishing #MinistryofHumanResourcesandSocialSecurity #DomainGenerationAlgorithm #HoxhuntChallenge #AbnormalSecurity #CybleResearchandIntelligenceLabs #ChineseCitizens
Keypoints
- QR code phishing attacks surged in 2024, leveraging QR codes embedded in documents to lead users to fraudulent sites for data theft.
- Threat actors embed QR codes in MS Word documents disguised as official notices to harvest credentials.
- The campaign specifically targets Chinese citizens and impersonates the Ministry of Human Resources and Social Security, offering subsidies above 1000 RMB.
- A Domain Generation Algorithm (DGA) is used to generate phishing URLs, complicating detection and blocking efforts.
- The phishing flow collects personal data, bank card details, and multiple passwords through staged verification steps, enabling potential financial loss.
- The infrastructure uses multiple domains and IPs, indicating a broad, distributed operation with hard-to-trace origins.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – MS Word documents embedded with QR codes, disguised as official notices from the Ministry of Human Resources and Social Security of China. “MS Word documents embedded with QR codes, disguised as official notices from the Ministry of Human Resources and Social Security of China.”
- [T1071.001] Application Layer Protocol: Web Protocols – The QR codes redirect users to phishing websites via HTTP/HTTPS, designed to steal personal and financial information. “redirect users to phishing websites via HTTP/HTTPS, designed to steal personal and financial information.”
- [T1566.002] Phishing: Spearphishing Link – Phishing links generated using a Domain Generation Algorithm (DGA) lead users to fraudulent websites for credential harvesting. “Phishing links generated using a Domain Generation Algorithm (DGA) lead users to fraudulent websites for credential harvesting.”
- [T1185] Man-in-the-Middle – The phishing sites prompt users to enter sensitive information, which is intercepted by attackers under the guise of verification. “The phishing sites prompt users to enter sensitive information, which is intercepted by attackers under the guise of verification.”
- [T1498] Network Denial of Service – Potential denial of service by overwhelming the users with fake verification steps, hindering legitimate activities. “Potential denial of service by overwhelming the users with fake verification steps, hindering legitimate activities.”
Indicators of Compromise
- [Hash] SHA256 – 8462bae8b5ac446fefab66d036696d4c29648052c35edb1ba7057e39808803fa, 71f4eaebbd9cccaa2a9ca2575dbf12a420482394, and 1 more hash (MS Word file)
- [Hash] MD5 – c31837a9c1ed6a540782f63d4f196b11 (MS Word file)
- [URL] Phishing redirect domains – hxxp://wj[.]zhvsp[.]com, hxxp://ks.ozzlds[.]com, hxxp://rc[.]nggznm.cn, hxxp://ry[.]ngghznm.cn, hxxp://web[.]ioomk-1.sbs
- [Domain] Redirected phishing domains – 2wxlrl.tiozl[.]cn, op18bw[.]tiozl.cn, gzha31.tiozl[.]cn, i5xydb[.]tiozl.cn, hzrz7c.zcyyl[.]com
- [IP] Host/IPs associated with phishing hosting – 20.2.161.134 (plus 18 other IPs sharing ASN AS8075 in Hong Kong: e.g., 52.229.166.225, 20.2.16.132, 52.184.66.142, 52.175.13.206, 20.2.200.161, 20.255.100.54, 52.229.190.40, 20.255.73.44)
- [SSH Host Key] bc5d98c0bfaaf36f9a264feefa572e97607eadff6ab70251ddaf59df486d7787 – associated with the phishing infrastructure