The SonicWall Capture Labs threat research team has observed PDF files with embedded QR codes being used by malware authors to deceive users, often via emailed PDFs claiming security updates or sharing links. Scanning these QR codes can lead to a phishing page designed to harvest Microsoft account credentials and potentially trigger other harmful actions on mobile devices. #MalAgent.A_1998 #MalAgent.A_1999 #Microsoft #bing #PDF #QRCode
Keypoints
- PDFs with embedded QR codes are being abused to direct users to phishing pages.
- Attackers lure users via emails (fax) claiming security updates or SharePoint document signing.
- After scanning, users are taken to a phishing URL that uses bing.com to evade detections and redirects to the fraudulent page.
- The phishing page prompts for Microsoft account credentials, aiming to harvest them for unauthorized access.
- Scanning QR codes on mobile can auto-trigger actions like downloads, premium charges, or calls, posing multiple risks.
- SonicWall lists signatures MalAgent.A_1998 and MalAgent.A_1999 as protections against this activity.
- IoCs include two SHA-256 hashes and multiple malicious URLs/domains associated with the campaign.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link β Phishing URL with host bing.com to evade security detections and redirect to a fraudulent Microsoft login page. βAfter scanning the QR code a phishing URL where the host in this case is bing.com to evade security detections then it redirects to the actual phishing page βhxxps://r[.]g[.]bing[.]com/bam/ac?!&&u=a1aHR0cHM6Ly9ocmVmLmxpLz9odHRwczovL20zYWZzZWN1ci51cy9hdXRoLmh0bWw=#GeXVrYWt1cmVjaGlAbWJrLmNvbQ==ββ
Indicators of Compromise
- [Hash] Malicious sample identifiers β 68d72745079d00909989c92141255ba530490cd361a26ee1f4083acf35168c45, 21bb86d48cf2cfaa3fab305b54b936304a4cdbd60bb84024a3cd8a3eed99abc4
- [URL] Phishing and delivering pages β hxxps://r[.]g[.]bing[.]com/bam/ac?!&&u=a1aHR0cHM6Ly9ocmVmLmxpLz9odHRwczovL20zYWZzZWN1ci51cy9hdXRoLmh0bWw=#GeXVrYWt1cmVjaGlAbWJrLmNvbQ==, hxxps://geszvihbb[.]cc[.]rs6[.]net/tn[.]jsp?f=001Ditptef7aGWV9JfIQAYkZmCN-wQcHMy3e4wzwbv3vnsaliwycylagGK80Yt9uHp_YVVukara24hbeA_lURHoJmu1Scc_CBtL1Gctc_C9mjtpTa4efbpuN0PD2cc1NoggcgogpAVDLdR-weTmdl8QR4ErgtgM9NX_0e-GLM1eb4IkOGmV3qUSnw==&c=&ch==&__=/p[.]olds@dummenorange[.]com
- [URL] Additional malicious domain β hxxps://pub-8c469686ecb34304864e58edf5ab4597[.]r2[.]dev/gystdn[.]html#YXByaWxAcmVzZXRpdGxlLmNvbQ==
Read more: https://blog.sonicwall.com/en-us/2024/07/the-hidden-danger-of-pdf-files-with-embedded-qr-codes/