Russian Hackers Attacking WhatsApp Users With Malicious QR Codes

Russian state-sponsored hacking group Star Blizzard has shifted its tactics to exploit WhatsApp users through malicious QR codes.

This marks a significant evolution in the group’s spear-phishing campaigns, which have historically targeted government officials, diplomats, defense researchers, and organizations associated with Ukraine.

The campaign, observed in mid-November 2024 by Microsoft Threat Intelligence, highlights the group’s adaptability and persistence in evading detection.

Star Blizzard, also known as Callisto Group or ColdRiver, has traditionally relied on spear-phishing emails to steal credentials and exfiltrate sensitive data. However, this recent campaign represents their first documented use of WhatsApp as an attack vector.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The group targeted individuals by sending emails impersonating U.S. government officials and offering an opportunity to join a WhatsApp group focused on supporting Ukrainian NGOs.

The emails included a QR code that appeared to link to the group but was intentionally broken to prompt recipients to respond for further instructions, Microsoft said.

QR Code With Malicious Links

Once the target replied, Star Blizzard sent a second email containing a shortened link wrapped in Microsoft Safe Links. This redirected victims to a webpage instructing them to scan another QR code.

Instead of joining a WhatsApp group, scanning the code enabled attackers to link the victim’s WhatsApp account to their own devices via WhatsApp Web. This allowed Star Blizzard to access private messages and exfiltrate data using browser plugins designed for exporting WhatsApp messages.

The campaign underscores Star Blizzard’s ability to adapt its tactics following significant disruptions to its infrastructure. In October 2024, Microsoft and the U.S. Department of Justice dismantled over 180 domains used by the group for phishing operations.

Despite these setbacks, Star Blizzard quickly transitioned to new methods, demonstrating its resilience.

The use of QR codes adds another layer of sophistication to their operations. QR code phishing (or “quishing”) is particularly challenging to detect because it obscures the malicious URL from email security tools.

This tactic exploits users’ growing trust in QR codes, which became more prevalent during the pandemic.

Star Blizzard’s targets remain consistent with its previous campaigns:

• Government officials and diplomats
• Defense policy researchers
• NGOs and think tanks
• Individuals and organizations providing aid to Ukraine

The group meticulously researches its targets using open-source intelligence and social media platforms. They craft highly convincing phishing lures by impersonating trusted contacts or well-known figures in their targets’ fields.

Mitigation Measures

To counter such threats, Microsoft Threat Intelligence recommends heightened vigilance among individuals and organizations within high-risk sectors. Specific measures include:

• Verifying email authenticity: Always confirm the sender’s identity through known channels before responding or clicking links.
• Avoiding QR codes in unsolicited emails: Treat all QR codes with caution unless their source is verified.
• Implementing phishing-resistant multi-factor authentication (MFA): Tools like hardware security keys can prevent unauthorized account access even if credentials are compromised.
• Regular cybersecurity training: Educating employees about evolving phishing tactics can help them recognize red flags.

Organizations are also encouraged to deploy advanced email security solutions capable of detecting sophisticated spear-phishing attempts and monitoring for unusual activity.

Star Blizzard’s activities highlight the increasing sophistication of state-sponsored cyber threats. Their campaigns not only aim at espionage but also seek to disrupt democratic processes and influence geopolitical dynamics.

As cyber attackers continue to innovate, governments and private entities must collaborate closely to bolster defenses against such persistent adversaries.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

The post Russian Hackers Attacking WhatsApp Users With Malicious QR Codes appeared first on Cyber Security News.