Embedding malicious payloads in QR codes is a phishing strategy increasingly exploited in recent campaigns. Automated defenses often struggle to decode and analyze QR codes, allowing adversaries to leverage these vectors effectively.
Our sandbox now automatically processes QR codes
ANY.RUN has updated its sandbox to easily detect and analyze malicious content in QR codes within images.
Now, when the sandbox identifies a QR code containing a link.
- The image with the QR code is placed on the desktop of the virtual machine, where you can find it for further analysis later. The QR code is also accessible in Static discovering.
- When you submit a QR code for analysis, the sandbox launches a browser and navigates to the URL encoded in the QR code, opening it in a new tab.
Importantly, this feature will also function if the embedded link within the QR code is in plain text form.
The importance of QR code detection
Distributing malicious payloads via QR codes is a phishing method known as “quishing.” Since early September, we’ve seen a surge in phishing emails using this technique, with incidents climbing to over 500 emails on Fridays in the first weeks of October.
Not only can security software struggle to detect malicious QR codes, but users often don’t link them with potential threats. Most information about the dangerous of phishing emails that you can find only typically focuses on executables and macros.
QR codes, on the other hand, are usually seen as tools for marketing, which helps quishing tactics to slip under the radar. This underscores the need for an efficient analysis tool that covers quishing.
Previously, analyzing a suspicious QR code in ANY.RUN required saving the image and using an external QR scanner like qrcoderaptor[.]com to extract the URL during the task.
This workaround, while not overly complex, still demanded extra time. Considering the increasing use of quishing to deliver malware, it was crucial for us to streamline the process for users. Now, the extraction of QR code content is automatic, removing the need for manual intervention.
Detection of malicious payloads in QR codes in action
Let’s see how QR code detection works in the sandbox using this task as an example.
To submit a URL from a QR code, follow these steps: after completing your current task, go to Static discovering and select the object containing the QR code (in our example, an email with attached images).
Next, click Submit to analyze, and a new task will launch. The URL recognized in the new task will then automatically open in a web browser.
What are your thoughts on this new feature? Have you had a chance to test out the QR code detection in ANY.RUN? Share your experience in the comments below.
ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.
Request a demo today and enjoy 14 days of free access to our Enterprise plan.