A tiny Python utility that generates "imageless" QR codes in various formats and obfuscates keywords in emails by illustrating them using tables. This is useful for evading keyword-based and AI-assisted QR code phishing-specific detections. Partially released with an accompanying blog post at x33fcon 2024, with more features added during Defcon 32.
pip3 install -r requirements.txt
python3 QRucible.py
For pytesseract and the keyword obfuscation to work correctly, you may also need to install Tesseract OCR separately
For Ubuntu:
sudo apt-get install tesseract-ocr
For macOS using Homebrew:
brew install tesseract
For Windows: Download the Tesseract installer from tesseract GitHub. Run the installer and follow the instructions.
usage: QRucible.py [-h] -u URL [-s SIZE] [-i INPUT] [-o OUTPUT] [--css] [--tables] [--eml] [--obfuscate OBFUSCATE [OBFUSCATE ...]]
A tiny Python utility that generates "imageless" QR codes in various formats and obfuscates keywords in emails
options:
-h, --help show this help message and exit
-u URL, --url URL The URL to be encoded in the QR code.
-s SIZE, --size SIZE The box size of the QR code. (default: 40)
-i INPUT, --input INPUT
The input HTML (template) file, replaces the string QR_PLACEHOLDER with the QR code
-o OUTPUT, --output OUTPUT
The output path to an HTML or EML file.
--css Generate QR code using the CSS method.
--tables Generate QR code using the table method. Default
--eml Generate an EML file instead of an HTML file.
--obfuscate OBFUSCATE [OBFUSCATE ...]
Keywords to obfuscate by illustrating them as tables.
The below QR code is generated using HTML tables
.\QRucible.py -u https://youtu.be/dQw4w9WgXcQ -i '.\MFA_QR_CODE _TEMPLATE.html' --tables --eml
The keywords marked in the email below are illustrated using tiny tables, not text, and will therefore confuse AI trying to understand context / bypass keyword flagging/detection.
.\QRucible.py -u https://youtu.be/dQw4w9WgXcQ -i '.\MFA_QR_CODE _TEMPLATE.html' --tables --obfuscate QR mobile device MFA
CSS method is based on this example: https://codepen.io/jasonadelia/pen/DwWaNW