- Browser isolation runs all scripts in a remote, or virtual environment, but QR codes still make it through
- If a device is infected with malware, it can get commands via QR codes, rendering browser isolation useless
- The method works, but has its limitations
Cybersecurity researchers from Mandiant claim to have discovered a new way to get malware to communicate with its C2 servers through the browser, even when the browser is isolated in a sandbox.
There is a relatively new method of protecting web-borne cyberattacks, called “browser isolation”. It makes the victim’s browser communicate with another browser, located in a cloud environment, or a virtual machine. Whatever commands the victim inputs are relayed to the remote browser, and all they get in return is the visual rendering of the page. Code, scripts, commands, all get executed on the remote device.
One can think of it as browsing through the lens of a phone’s camera.
Limits and drawbacks
But now, Mandiant believes that C2 servers (command & control) can still talk to the malware on the infected device, regardless of the inability to run code through the browser, and that is – via QR codes. If a computer is infected, the malware can read the pixels rendered on the screen, and if they’re a QR code, that is enough to get the program to run different actions.
Mandiant prepared a proof-of-concept (PoC) showing how the method works on the latest version of Google Chrome, sending the malware through Cobalt Strike’s External C2 feature.
The method works, but it’s far from ideal, the researchers added. Since the data stream is limited to a maximum of 2,189 bytes, and since there is a roughly 5-second latency, the method cannot be used to send large payloads, or facilitate SOCKS proxying. Furthermore, additional security measures such as URL scanning, or data loss prevention, may render this method completely useless.
Still, there are ways the method could be abused to run destructive malware attacks. Therefore, IT teams are advised to still keep an eye on the flow of traffic, especially from headless browsers running in automation mode.
Via BleepingComputer
You might also like
- Another major US healthcare organization has been hacked, with potentially major consequences
- Here’s a list of the best antivirus
- These are the best endpoint protection tools right now
This articles is written by : Fady Askharoun Samy Askharoun
All Rights Reserved to Amznusa www.amznusa.com
Why Amznusa?
AMZNUSA is a dynamic website that focuses on three primary categories: Technology, e-commerce and cryptocurrency news. It provides users with the latest updates and insights into online retail trends and the rapidly evolving world of digital currencies, helping visitors stay informed about both markets.
