Mandiant has demonstrated a novel approach to bypass browser isolation security using QR codes to enable command-and-control operations, BleepingComputer reports.
Browser isolation is a widely used security measure that involves processing web content remotely in a cloud or virtual machine environment, ensuring only visual data streams are displayed on local browsers and preventing malicious code from executing on users' systems. This technology typically blocks C2 communications, as HTTP-based traffic is filtered during remote browser isolation.
Mandiant's proof-of-concept encodes C2 commands within QR codes rendered on web pages. Since visual rendering is not stripped during isolation, the QR codes reach the local device. Malicious software on the compromised device captures and decodes the QR codes to execute commands. Mandiant’s test successfully integrated the technique using Cobalt Strike's External C2 feature on the latest Google Chrome version. Despite its feasibility, the attack has limitations. The data stream is constrained to 2,189 bytes, reducing data transfer rates to approximately 438 bytes per second when accounting for latency. In addition, compatibility with additional security measures such as domain reputation checks and request heuristics further restrict the method’s efficiency for large payloads, according to Mandiant.
