- Browser isolation runs all scripts in a remote, or virtual environment, but QR codes still make it through
- If a device is infected with malware, it can get commands via QR codes, rendering browser isolation useless
- The method works, but has its limitations
Cybersecurity researchers from Mandiant claim to have discovered a new way to get malware to communicate with its C2 servers through the browser, even when the browser is isolated in a sandbox.
There is a relatively new method of protecting web-borne cyberattacks, called “browser isolation”. It makes the victim’s browser communicate with another browser, located in a cloud environment, or a virtual machine. Whatever commands the victim inputs are relayed to the remote browser, and all they get in return is the visual rendering of the page. Code, scripts, commands, all get executed on the remote device.
One can think of it as browsing through the lens of a phone’s camera.
Limits and drawbacks
But now, Mandiant believes that C2 servers (command & control) can still talk to the malware on the infected device, regardless of the inability to run code through the browser, and that is – via QR codes. If a computer is infected, the malware can read the pixels rendered on the screen, and if they’re a QR code, that is enough to get the program to run different actions.
Mandiant prepared a proof-of-concept (PoC) showing how the method works on the latest version of Google Chrome, sending the malware through Cobalt Strike’s External C2 feature.
The method works, but it’s far from ideal, the researchers added. Since the data stream is limited to a maximum of 2,189 bytes, and since there is a roughly 5-second latency, the method cannot be used to send large payloads, or facilitate SOCKS proxying. Furthermore, additional security measures such as URL scanning, or data loss prevention, may render this method completely useless.
Still, there are ways the method could be abused to run destructive malware attacks. Therefore, IT teams are advised to still keep an eye on the flow of traffic, especially from headless browsers running in automation mode.
Via BleepingComputer