Recent Quishing Attack Linked to Greatness PhaaS
Todd Stansfield with contributions from Vade security analysts
—October 31, 2023
—2 min read
Vade researchers have detected a significant increase in Quishing attacks in recent months. Quishing, also known as QRishing or QR code phishing, is a trending threat among hackers, particularly those targeting Microsoft 365 users.
Recently, Vade researchers uncovered a Quishing campaign that may be linked to the phishing-as-a-service (PhaaS) Greatness, a threat previously reported by Vade. It may also indicate an evolution in how threat actors—associated with, using, or reusing code from Greatness—are attempting to evade security measures.
In this post, we reveal our analysts’ findings.
Quishing attack: evidence of Greatness?
Without detailing the operating mode of the attackers, hackers used a compromised account to send the Quishing campaign from a legitimate email address. The attackers take care of the file naming and use a respected naming convention to appear more credible.
filename: letter_[redacted_firstname]_[redacted_lastname]_ [redacted_company_name]_fr.jpg
From the QR code, we can extract the below malicious URL (which we have defanged):
hxxps[://]*****club[.]com[.]pk/wpincludes/fonts/?username=cmVkYWN0ZWRfZW1haWxAZXhhbXBsZS5jb20=
The domain is commonly related to a compromised WordPress website (version 5.8.7 published on May 16, 2023) used to host files related to a phishing kit. The email address of the targeted user is passed as a parameter through the URL.
Below is a preview of the landing page, which simulates the loading of a Microsoft Office document before displaying a fake Microsoft 365 login page.
Preview of the landing page
Below is the HTML source code of the landing page, with the URL defanged:
Below is the decoded Base64 string:
The file mf.php was retrieved from *****s24[.]com, another compromised website.
The part of a path /admin/js/ offers another clue leading to the tracks of Greatness—as introduced in Cyberthreat Analysis: ‘Greatness’ Phishing-as-a-Service (PhaaS). Moreover, the snippet from mf.php below allowed us to identify the file 9576366.php:
Inside 9576366.php, we can observe these elements:
Snippet from 9576366.php
These elements are similar to those identified by Trellix in an analysis of phishing attacks.
Code comparison between Trellix snippet and Vade snippet
According to Trellix, in the beginning, the malicious authentication pages were delivered by email with an HTML attachment.
Preview of HTML attachments - screenshot from Trellix
Below is the initial HTML attachment variant uncovered by Trellix:
Initial HTML attachment variant - screenshot from Trellix
We have observed this variant while analyzing malicious campaigns targeting businesses, as shown below.
Preview of source code - HTML attachment 1 – Vade
Preview of source code - HTML attachment 2 – Vade
Preview of source code - HTML attachment 3 - Vade
Comparing the indicators of compromise from Greatness to the recent Quishing attack, we find significant similarities.
Comparison of indicators of compromise
Comparison of snippets
Returning to our analysis of the file mf.php, we can find other clues in the code below.
From the analysis made by Randy McEoin about Greatness Phishing Kit on April 2023, we notice similar components and features, including the use of a central API, Telegram token, antibot and blocklist, and autograb.
Components and features from Greatness - screenshot from rmceoin
This code is not new. A track of the code was posted eight months ago on the subreddit r/asknetsec.
Reddit subject: Can anyone help deobfuscate this JS found in cred phishing attack?
Because of our analysis related to Quishing attack, we believe that threat actors associated with or using Greatness (or reusing code from Greatness) are leveraging QR codes rather than HTML attachments to evade security mechanisms.
Quishing attack: key takeaways
Quishing is not a new threat; however, it appears to be making a resurgence among hackers. In October 2023, Vade discovered a Quishing campaign spoofing DocuSign and targeting a French company. The example is one case among many that Vade researchers have observed over the past several months.
Preview of the JPG attachment
As reported in our Q3 2023 Phishing and Malware Report, Quishing can bypass the detection by email filters that lack QR code reading/detection capabilities.
To protect yourself from Quishing, we caution organizations and users to stay vigilant when encountering emails containing QR codes. Here are a few safety tips:
- Always inspect the URL notification that appears when scanning the QR code before tapping the redirect.
- Refrain from sharing sensitive information.
- Stay vigilant when asked to provide personally identifiable information (PII). Carefully inspect any website that requests this information.
- Refrain from installing a security application available via QR code, especially for smartphones.