The operators of the QBot malware have been using the Windows Calculator to side-load the malicious payload on infected computers.
DLL side-loading is a common attack method that takes advantage of how Dynamic Link Libraries (DLLs) are handled in Windows. It consists of spoofing a legitimate DLL and placing it in a folder from where the operating system loads it instead of the legitimate one.
QBot, also known as Qakbot is a Windows malware strain that started as a banking trojan but evolved into a malware dropper, and is used by ransomware gangs in the early stages of the attack to drop Cobalt Strike beacons.
Security researcher ProxyLife recently discovered that Qakbot, has been abusing the the Windows 7 Calculator app for DLL side-loading attacks since at least July 11. The method continues to be used in malspam campaigns.
New QBot infection chain
The ISO contains a .LNK file, a copy of 'calc.exe' (Windows Calculator), and two DLL files, namely WindowsCodecs.dll and a payload named 7533.dll.
When the user mounts the ISO file, it only displays the .LNK file, which is masqueraded to look like a PDF holding important information or a file that opens with Microsoft Edge browser.
However, the shortcut points to the Calculator app in Windows, as seen in the properties dialog for the files.
Clicking the shortcut triggers the infection by executing the Calc.exe through the Command Prompt.
When loaded, the Windows 7 Calculator automatically searches for and attempts to load the legitimate WindowsCodecs DLL file. However, it does not check for the DLL in certain hard coded paths, and will load any DLL with the same name if placed in the same folder as the Calc.exe executable.
A few days ago, a friend and I were having a rather engaging conversation that sparked my excitement. We were discussing my prospects of becoming a red teamer as a natural career progression. The reason I got stirred up is not that I want to change either my job or my position, as I am a happy camper being part of blue team.Read More
System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed.Read More
A new ransomware family dubbed Luna can be used to encrypt devices running several operating systems, including Windows, Linux, and ESXi systems.Read More