Hackers Using Weaponized Word Documents In QR Code Phishing Attacks

Hackers often abuse weaponized Word docs, as they can contain macros that contain or exploit flaws inside those Word files to run destructive code upon being opened by the intended victims.

It enables an attacker to employ this tool to deliver a payload to a target system or unauthorized access to a targeted system by simply sending the target an innocent file with a Word extension, most of the time evading the security systems.

EHA

Cybersecurity researchers at Cyble discovered that hackers have been actively using weaponized Word documents in QR code phishing attacks.

QR Code Phishing Attacks

QR code phishing attacks have surged recently, exploiting the technology’s all-presence and users’ familiarity to redirect them to credential-stealing sites.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

In 2024, such attacks increased by 22% compared to late 2023, with 89.3% aimed at stealing credentials per Abnormal Security. 

Threat actors embed malicious QR codes in emails, documents, and public places, using them to mask destinations. 

A recent campaign used Microsoft Word docs impersonating Chinese government agencies with undetected QR codes prompting users to authenticate for fake subsidies, aiming to harvest financial data like in a January 2023 incident documented by Fortinet.

The malicious QR code redirects victims to a domain generated by a DGA, hosting a phishing site impersonating China’s Ministry of Human Resources. 

Phishing site (Source – Cyble)

This domain resolves to IP 20.2.161.134, which hosts several other subdomains (.tiozl.cn and .zcyyl.com) linked to the massive phishing campaign, reads Cyble report.

The SSH host key fingerprint ties this IP to 17 others in Hong Kong’s AS8075, bearing similar phishing URLs. Landing pages display fake labor subsidy lures, then harvest entered personal details like names and national IDs from victims.

Finally, the phishing site prompts victims to enter bank card numbers, phone numbers, and balances on behalf of false verification, which enables unauthorized transactions after they have harvested names and IDs.

This loading screen is followed by a prompt for withdrawal passwords used to make domestic credit card payments.

Attackers can consequently conduct unauthorized transactions with the full details of a card, and these passwords can lead to financial losses.

In other words, this advanced QR code phishing scam capitalizes on trusted technology and tricks to steal financial information, effectively highlighting the mounting danger necessitating increased alertness.

Recommendations

Here below we have mentioned all the recommendations:-

  • Scan QR codes only from trusted sources, and avoid unsolicited ones promising incentives.
  • Carefully check URLs after scanning for legitimacy and HTTPS before proceeding.
  • Install reputable anti-virus and anti-phishing software on devices.
  • Stay informed about the latest phishing techniques, and educate others on QR code risks.
  • Use 2FA on accounts for added security against unauthorized access.
  • Keep software updated with the latest security patches.
  • Consider QR scanner apps that check URLs against known malicious site databases.
  • Regularly review bank and card statements, and report any unauthorized transactions promptly.

IOCs

  • hxxp://wj[.]zhvsp[.]com 
  • hxxp://ks.ozzlds[.com 
  • hxxp://rc[.]nggznm.cn hxxp://ry[.]ngghznm.cn 
  • hxxp://web[.]ioomk-1.sbs 
  • 2wxlrl.tiozl[.]cn 
  • op18bw[.]tiozl.cn 
  • gzha31.tiozl[.]cn 
  • i5xydb[.]tiozl.cn 
  • hzrz7c.zcyyl[.]com 
  • web.innki-1[.]sbs 
  • web[.]oiiunm-4.sbs 
  • web.liooik-2[.]sbs 
  • web[.]jneuz-4.sbs 
  • web[.]yoopk-4.sbs 
  • web[.]ioomil-4.cfd 
  • web.miiokn-4[.]sbs 
  • wweb[.]muuikj-6.sbs 
  • web.ikubzn9-1[.]sbs 
  • inb[.]yhuiz-5.sbs 
  • admin.yhuiz-4[.]sbs 
  • web[.]otuz1-2.sbs 
  • fmqe9s[.]ikknzjd.cn 
  • wqegi8.skqkkdm[.]cn 
  • nhfvhi.skqkkdm[.]cn 
  • k7pnec.skqkkdm[.]cn 
  • qerxjj[.]uehsht.cn 
  • vjym48.uehsht[.]cn 
  • y1hc3j.rygwnr[.]cn 
  • ofwdfq[.]qttsgzhcn.cn 
  • g97hwf[.]okdmzjcm.cn 
  • thrrai.okdmzjcm[.]cn 
  • f8lhst[.]okdmzjcm.cn 
  • xzlky6.uhhsjzn[.]cn 
  • rcgali.uhhsjzn[.]cn 
  • azure.5atrade[.]cf 
  • ahgfus[.]pixqd.cn 
  • sfdncx.lppdzna[.]cn 
  • cjpb1j[.]lppdzna.cn 
  • cqy8ek.poozpd[.]cn
  •  fyo63q[.]wiiaks.cn 
  • l9qxrr.wiiaks[.]cn 
  • yzfpmj[.]wiiaks.cn
  •  zcqgtm[.]wiiaks.cn 
  • inwp8n.ekksjcm[.]cn 
  • xicfpx[.]ekksjcm.cn

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.