QBot phishing uses Windows Calculator sideloading to infect devices

Gandalf_The_Grey

Gandalf_The_Grey

Level 71
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
5,958
Content source
https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/
The operators of the QBot malware have been using the Windows Calculator to side-load the malicious payload on infected computers.

DLL side-loading is a common attack method that takes advantage of how Dynamic Link Libraries (DLLs) are handled in Windows. It consists of spoofing a legitimate DLL and placing it in a folder from where the operating system loads it instead of the legitimate one.

QBot, also known as Qakbot is a Windows malware strain that started as a banking trojan but evolved into a malware dropper, and is used by ransomware gangs in the early stages of the attack to drop Cobalt Strike beacons.

Security researcher ProxyLife recently discovered that Qakbot, has been abusing the the Windows 7 Calculator app for DLL side-loading attacks since at least July 11. The method continues to be used in malspam campaigns.
Click to expand...
It should be noted, that this DLL sideloading flaw no longer works in Windows 10 Calc.exe and later, which is why the threat actors bundle the Windows 7 version.
Click to expand...
www.bleepingcomputer.com

QBot phishing uses Windows Calculator DLL hijacking to infect devices

The operators of the QBot malware have been using a DLL hijacking flaw in Windows Calculator to infect computers, which also helps evade detection by security software.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
Reactions: Nevi, Andy Ful, shmu26 and 5 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,550
A bit cumbersome to test as this includes a huge amount of steps, that normally ain't the case with other found in the wild Qbot/Qakbot samples. If this is delivered in the exact same way as shown in the article/report ( spam, html, downloading a password protected ZIP file, ISO file, open/unpack the ISO... ) to a potential victim, it's an automatic risk it will fail simply because of too many manual steps involved. That said, I tested it on AnyRun and it does work, but one can't use their default browser as that is still IE. Open the html file with Chrome or Firefox to get the ZIP file.
 
  • Like
Reactions: Nevi, harlan4096, plat and 3 others
NoVirusThanks

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
271
The sample was tested in the OSArmor video below at 10:30 timeline (used Edge to get the ZIP file):



The PE file calc.exe is unsigned, it has hidden file (+H) disk attribute and is from Windows 7 OS.

With calc.exe from Windows 10 it doesn't work:
 
  • Like
  • +Reputation
  • Thanks
Reactions: Nevi, Back3, harlan4096 and 3 others
You must log in or register to reply here.

Similar threads

LASER_oneXM
    • Like
Malware News New QBot email attacks use PDF and WSF combo to install malware
Replies
1
Views
1,095
Security News
Andy Ful
Andy Ful
Gandalf_The_Grey
    • Like
    • Wow
LockBit operator abuses Windows Defender to load Cobalt Strike
Replies
1
Views
727
News Archive
Andy Ful
Andy Ful
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Qbot needs only 30 minutes to steal your credentials, emails
Replies
1
Views
770
News Archive
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top