QBot phishing uses Windows Calculator sideloading to infect devices

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,566
The operators of the QBot malware have been using the Windows Calculator to side-load the malicious payload on infected computers.

DLL side-loading is a common attack method that takes advantage of how Dynamic Link Libraries (DLLs) are handled in Windows. It consists of spoofing a legitimate DLL and placing it in a folder from where the operating system loads it instead of the legitimate one.

QBot, also known as Qakbot is a Windows malware strain that started as a banking trojan but evolved into a malware dropper, and is used by ransomware gangs in the early stages of the attack to drop Cobalt Strike beacons.

Security researcher ProxyLife recently discovered that Qakbot, has been abusing the the Windows 7 Calculator app for DLL side-loading attacks since at least July 11. The method continues to be used in malspam campaigns.
It should be noted, that this DLL sideloading flaw no longer works in Windows 10 Calc.exe and later, which is why the threat actors bundle the Windows 7 version.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
A bit cumbersome to test as this includes a huge amount of steps, that normally ain't the case with other found in the wild Qbot/Qakbot samples. If this is delivered in the exact same way as shown in the article/report ( spam, html, downloading a password protected ZIP file, ISO file, open/unpack the ISO... ) to a potential victim, it's an automatic risk it will fail simply because of too many manual steps involved. That said, I tested it on AnyRun and it does work, but one can't use their default browser as that is still IE. Open the html file with Chrome or Firefox to get the ZIP file.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
The sample was tested in the OSArmor video below at 10:30 timeline (used Edge to get the ZIP file):



The PE file calc.exe is unsigned, it has hidden file (+H) disk attribute and is from Windows 7 OS.

With calc.exe from Windows 10 it doesn't work:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top