3 min Security

QR codes bypass browser isolation for malicious C2 communication

QR codes bypass browser isolation for malicious C2 communication

Mandiant has identified a new method by which one can bypass browser isolation and command-and-control (C2) operations can be performed via a QR code.

Browser isolation (browser isolation technology) is an increasingly popular security technology that routes all local Web browser requests through remote Web browsers in a cloud environment or virtual machines.

Protection against malicious code

Any scripts or content on the visited Web page are executed on the remote browser instead of the local one. The rendered pixel stream of the page is then sent back to the local browser that made the original request, showing only how the page looks and protecting the local device from malicious code.

Many command-and-control servers use HTTP for communication, typically filtered by browser isolation, making traditional C2 models less effective.

Mandiant developed a technique that attempts to circumvent these limitations, as reported by BleepingComputer. While the method has practical limitations, it shows that existing security measures in browsers are not perfect. This emphasizes the importance of layered defense (“defense in depth”), which involves combining multiple security measures.

C2 channels allow attackers to communicate with infected systems, giving them remote control of the affected device. This allows them to execute commands, exfiltrate data, and more.

Sandboxed environment

Browsers constantly communicate with remote servers, so isolation measures are applied to prevent attackers from obtaining sensitive data from the system. This is done by running the browser in a separate, sandboxed environment, such as in the cloud or on a local virtual machine.

With active isolation, the sandboxed browser processes incoming HTTP requests, and only the page’s visual content is streamed to the local browser. This prevents scripts or commands from reaching the local browser and makes it harder for attackers to perform C2 communications.

Mandiant researchers developed a new technique to bypass modern browser isolation mechanisms. Instead of embedding commands in HTTP responses, they are encoded in a QR code displayed visually on a Web page. Since the visual display of a Web page is not removed during isolation requests, the QR codes can reach the local browser that initiated the request.

In Mandiant’s research, the “victim’s” local browser acts as a headless client controlled by malware. This malware reads the received QR code. And decodes it to obtain the commands.

Mandiant has demonstrated the attack with a proof-of-concept (PoC) on the latest version of Google Chrome. Here, they integrated the implant using Cobalt Strike’s External C2 function, a widely used pen test tool that attackers often abuse.

Limitations of the technology

Although the PoC shows that the attack is feasible, the technology has some limitations:

Limited data transfer.
The data stream is limited to 2,189 bytes, about 74% of what QR codes can hold at most. Problems interpreting QR codes require further reduction in packet sizes.

Inertia
Each request takes about 5 seconds, limiting data transfer to about 438 bytes per second. This makes the technique unsuitable for sending large amounts of data or for SOCKS proxying.

Additional security measures
Factors such as domain reputation, URL scanning, data loss prevention, and request heuristics can, in some cases, block this attack or make it less effective.

Although this QR code-based C2 technique has low bandwidth, it can still be dangerous if not blocked. Administrators in critical environments are recommended to watch for abnormal traffic. And on headless browsers operating in automated mode.

Also read: ‘Quishing attacks surge and bypass email security’