Pixelless QR codes with QRucible

Pixelless QR codes with QRucible

This June, I had the great pleasure of attending and speaking at the hacker conference x33fcon in Poland, while sharing the stage with my former colleague, Oddvar Moe ❤.

The talk, titled “Red Team Oops!!” recounts some of the “Oh no, did I really just do that?” moments experienced during Red Team operations within Fortune 500 companies. And gave a technical insight into the process of recovery and research that leads to new TTPs, mission advancements and goal domination!

During this talk, I discussed a case where a client specifically requested that we use QR code for phishing during the social engineering portion of the assessment. This immediate callout of a technique on the client’s part not only gave me an indication of their maturity level, but also suggested that they had likely put some effort into detecting and preventing QR-based attacks.

I, of course, wanted to fulfill the client’s request, but I knew right away that I had to mix things up in order to get past their technical controls. Hence, I started researching common ways to detect and prevent QR code-based phishing attacks.

I found this blog post by Liam Jones at Stripeolt interesting, as it was rather technical and featured a very hands-on approach. Specifically, he showcased a Microsoft KQL (Kusto Query Language) rule for identifying emails that might contain QR codes.

The rule specifically looks at any emails not originating from a trusted domain, in this case, microsoft.com, that have an attached image with the extensions png, jpeg, and svg. He then proceeds to use this KQL rule to programmatically interrogate the Microsoft Graph API for any emails matching (having the permissions to read emails on behalf of other users in the organization), extracts and stores images found, then uses some C# to attempt to parse the images as QR codes. If parsed, the image is a QR code, and the URL can be logged, further analyzed, and so forth.

From what I could see, there are at least two potential exploitable flaws with these rules. One is that there are many more image types than PNG, JPEG, and SVG, such as GIF, BMP, ICO, and TIFF. The other is the assumption that one needs to use an attached image, or any image at all, to deliver a QR code.

QR Codes without the pixels?

A technique now commonly observed to be used by real life attackers is the use of ASCII characters to deliver a QR code. Even John Hammond has a video on doing exactly this, so it’s fair to say it’s commonly known at this point. While this could have been a feasible option, I decided not to explore it any further. Instead, I looked for other ways to generate and illustrate QR codes without using pictures. I rather quickly, I stumbled onto a CSS example on CodePen, created by Jason Delia.

I was confident that I had found something usable and spent a considerable amount of time replicating the automatic generation of this in Python. However, I found that the HTML rendering engine in Outlook refused to render it. Since my client primarily used Outlook, I had to abandon the CSS-based approach. Nevertheless, this method might still be effective for other email clients, particularly those that are browser-based, such as Gmail(?). I included the code for the CSS generation in this first release of QRucible, just in case it turns out handy for you!

So with pure CSS being a no go, what else in Outlook can be used?

That’s right, tables! While Outlook hates modern CSS, it does accept certain styles to be applied inline with created shapes and tables. Hence, the Python utility now dubbed QRucible was glued together.

This method of generating QR codes was massively successful for my engagement, flying by the heavy (and probably expensive) technical controls in place by the client. Overall, it showcases how something so simple can have an impact.

Now, there are more tricks to be explored within this concept, something I will showcase during my talk, “Evading Modern Defenses When Phishing with Pixels,” during the Adversary Village at DEF CON 32! But for now, parts of the QRucible project can be found on GitHub.

https://github.com/Flangvik/QRucible

Thanks for reading, and stay tuned for Part 2 sometime mid August!