On 25 November, HP spotted a campaign that distributed Office documents through email. Notably, the documents did not contain any exploit or macro code that could execute malicious code. Instead, the documents only contained Chinese text and a QR code.
They suspected the attackers might be trying to distribute mobile malware by forcing the recipients of these documents to switch to mobile devices to access malicious content.
First, the attackers send the document with the QR code to targets as email attachments. The document claims recipients are entitled to a government grant for the fourth quarter of 2022 based on a decision made by the Chinese Ministry of Finance and other state institutions. The document emphasizes that the notice had been communicated the previous week to build a sense of urgency, urging recipients to act quickly.
Various state institutions, copyrights and security numbers are also mentioned to bolster the document’s credibility. So far, the lure meets all the classic elements of a good phishing lure: relying on authority, urgency and offering a financial incentive for taking action.
To receive the grant, the recipient is asked to scan the QR code using WeChat, a popular instant messaging, social media and mobile payment app, and then follow the instructions on the website. Using QR codes is an unusual but effective way to force the target to switch from a computer to a mobile device, which may be protected by weaker phishing protection and detection mechanisms.
When the recipient scans the QR code, they are first taken to a webpage containing the same information as in the Word document. Clicking a button enables the user to start the application for the grant. Next, the website asks for a bank card number. In the input field, there is a note that bank cards from the Industrial and Commercial Bank of China would be given priority. This notice suggests the attackers are primarily interested in such bank cards.