FortiGuard Labs Threat Research

QR Code Phishing Attempts to Steal Credentials from Chinese Language Users

By James Slaughter | January 23, 2023

Every day, millions of internet and application users enter the ubiquitous username and password in the myriad of places where they shop, work, pay bills, socialize, and stream entertainment. This practice carries significant risk. If one of those locations is compromised, that username and password information usually finds its way to dark web markets where it is offered for sale. And those credentials can be very valuable (and costly to the owner!) if they can be reused in places like a financial institution or online shopping site that have monetary value for the criminal.

Affected Platforms: Mobile and Desktop
Impacted Users: Mobile and Desktop
Impact: Potential to steal credentials
Severity Level: Medium

Cybercriminals use a variety of techniques designed to steal credentials. FortiGuard Labs recently discovered an interesting phishing campaign using a variety of QR codes to target Chinese language users. It aims to steal credentials by luring users into entering their data into a phishing website owned by the threat actor.

The phishing e-mail

The e-mail is reasonably simple and streamlined and contains a Microsoft Word attachment.

Figure 1. Phishing e-mail.

The e-mail attempts to spoof the Chinese Ministry of Finance. Translated to English, the e-mail subject in Figure 1 reads: “Re: Notice on the application for personal labor subsidies in 2022”. The body states, “Please click on the attachment to view the notification of the Ministry of Finance's application for personal labor subsidies in the fourth quarter of 2022!”.

The Microsoft Word attachment, “转发:关于财四季度个人劳动补贴申领通知.docx” translates to: “Forward: Notice on Application for Personal Labor Subsidy in the Fourth Quarter of Fiscal Year.docx.”

转发:关于财四季度个人劳动补贴申领通知.docx

Once the attachment is opened, the user is presented with some text and a large QR code in the center of the document.

Figure 2. Word document with QR code.
Figure 3. English translation of the Microsoft Word document.

QR Code

A QR code requires an application to read and translate it into something actionable. Most mobile phones have this functionality through their camera, and software packages are available on all major platforms to do this from a computer.

Figure 4. QR code spoofing the National Emblem of the People's Republic of China to look more official.

Figure 5. QR Code spoofing the WeChat logo.

In each of the examples FortiGuard Labs found, the QR code contained in the Microsoft Word attachments provided a URL for the user to follow. When the user does this using their desktop platform or mobile device, they arrive at a website controlled by the threat actor.

Website

FortiGuard Labs reviewed the linked website. It is a spoofed facsimile of a DingTalk instance (it should be noted that as of the publication date, this site is now offline). DingTalk is a broadly used enterprise communication platform developed by Alibaba Group. Given the reach of the platform and its large number of users, credentials for it would be valuable.

Figure 6. Threat actor-controlled website spoofing DingTalk.

Figure 7. English translation of the pop-up.

The user is directed to a pop-up message box that suggests their DingTalk account has committed some unspecified business violation(s) and that it will be frozen without verification in 24 hours.

After acknowledging the message box, the user is invited to enter their credentials to address the issue.

Figure 8. Credential entry.
Figure 9. Credential entry translated to English.

Conclusion

Credentials provide a valuable resource for criminals and threat actors by providing a direct route into a victim’s applications or environment. These may be used directly or sold to another group for use in their operations. This example shows that attackers are putting significant effort into ensuring their landing pages look as realistic as possible and that their lures can convince victims to let down their guard.

Whatever the attacker's motives, these attacks will undoubtedly be prevalent for some time. Users are cautioned to verify emails, not open attachments or links, and never enter credentials into a site they have not seen before. Rather than using a received link, users are encouraged to go to the known main site of the vendor to conduct any business. Users can also hover over a link to look for an unusual URL. Organizations are also encouraged to provide training to users to help them identify and avoid malicious email attachments and links.

Fortinet Protections

Fortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:

The following (AV) signature detects the malware samples mentioned in this blog

MSWord/Phish.CCFD!tr

Data/Phish.9C34!phish

The WebFiltering client blocks all network-based URIs.

Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

In addition to these protections, we suggest that organizations have their end users undergo our FREE NSE trainingNSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.

IOCs

File-based IOCs:

Filename

SHA256

重要通知.docx (Important Notice.docx)

939656a000b7ca2f54bc42d635537261ce5194e2041f1c3ac37e3c72f8ec5333

转发:关于财四季度个人劳动补贴申领通知.docx (Forward: Notice on Application for Personal Labor Subsidy in the Fourth Quarter of Fiscal Year.docx)

f941b76a33b5a1d425569a0ed689023597fd7fc3acb301ec11a37feb71dcb597

财务重要通知.docx (Financial Important Notice.docx)

ac5f4ba15e883813b3018614887b8f65b2f90d252ab7cdffe6f05f8482e1672a

 

Network-based IOCs:

IOC

IOC type

hXXp://w.mryrej.cn

Credential theft site

hXXps://l99etsen5677cryptorgacme.h7g33.cn

Credential theft site

hXXp://www.sgiabuq189qhijl.cn

Credential theft site

 

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolioSign up to receive our threat research blogs.