Better Security, Together

Researchers have discovered a new cyber threat called “Unicode QR Code Phishing”, where attackers use Unicode text characters to create QR codes that evade traditional image-based security measures. This technique takes advantage of the ubiquity of QR codes in digital interactions, which has led to a significant rise in QR code phishing attacks. Traditional defenses that scan for suspicious images are ineffective against this text-based approach. These Unicode QR codes can be scanned and function correctly on smartphones, yet look different in plain text, complicating their detection. The rise of this new threat, with a reported 587% increase in attacks, underscores the need for updated security strategies to address these sophisticated phishing techniques.

Security researchers have identified a sophisticated malware campaign named “Voldemort”, which likely represents an espionage operation. The campaign employed a novel attack chain that blends commonly used techniques with less frequent methods like using Google Sheets for command and control (C&C) and abusing file schema URIs for malware staging. The malware exploits vulnerabilities such as CVE-2023-23397 (Windows search protocol) and CVE-2023-21716 (DLL hijacking) to infiltrate systems and execute malicious payloads. The campaign has targeted a wide range of organizations globally, posing a threat due to its advanced capabilities, especially in intelligence gathering.

The infection chain begins with phishing emails impersonating tax authorities from various countries, designed to deceive recipients into clicking on malicious links. These emails contain URLs that lead to a landing page hosted on InfinityFree, which checks the User Agent of the user’s browser. If the User Agent indicates a Windows environment, the browser is redirected to a search-ms URI, prompting the user to open Windows Explorer and load a file from a WebDAV share. This file, disguised as a local PDF, is actually a Windows shortcut (LNK) or ZIP file containing a similar LNK, which, when executed, invokes PowerShell to run Python scripts directly from the WebDAV share without downloading them locally.

The malware then collects system information, including the computer name, Windows version, and CPU details, sending this data to the attacker’s server. It downloads a decoy PDF to distract the user while extracting and executing a password-protected ZIP file containing a DLL vulnerable to side-loading via a legitimate executable. The DLL, named “Voldemort,” then connects to a Google Sheets-based C&C, where it uploads the user’s system information and awaits further commands.