- Browser isolation runs all scripts in a remote or virtual environment, but QR codes still manage to survive
- If a device is infected with malware, it can receive commands via QR codes, making browser isolation useless.
- The method works, but it has its limitations.
Cybersecurity researchers at Mandiant claim to have discovered a new way to make malware communicate with its C2 servers through the browser, even when the browser is isolated in a sandbox.
There is a relatively new method of protecting web-borne cyber attacks, called “browser isolation.” It causes the victim's browser to communicate with another browser, located in a cloud environment, or with a virtual machine. Whatever commands the victim enters are transmitted to the remote browser and all they get in return is the visual representation of the page. Code, scripts, and commands are executed on the remote device.
It can be thought of as browsing through a phone's camera lens.
Limits and drawbacks
But now, Mandiant believes that C2 (command and control) servers can still communicate with the malware on the infected device, regardless of the inability to execute the code through the browser, that is, through QR codes. If a computer is infected, the malware can read the pixels represented on the screen, and if they are a QR code, that is enough for the program to execute different actions.
Mandiant prepared a proof of concept (PoC) showing how the method works in the latest version of Google Chrome, sending the malware through Cobalt Strike's external C2 feature.
The method works, but it is far from ideal, the researchers added. Because the data stream is limited to a maximum of 2189 bytes and there is a latency of approximately 5 seconds, the method cannot be used to send large payloads or facilitate the SOCKS proxy. Additionally, additional security measures such as URL scanning or data loss prevention may render this method completely useless.
Still, there are ways the method could be abused to execute destructive malware attacks. Therefore, IT teams are advised to continue to monitor traffic flow, especially from headless browsers running in automation mode.
Through beepcomputer