A security researcher detailed a new QBot campaign in the wild, exploiting the legitimate Windows 7 Calculator app for side loading the malware in the target’s machine.
Starting off with a phishing email, the campaign asks the unsuspecting people to download the HTML files and corresponding ones within, which eventually drops QBot malware into the system. And the usage of Windows calculator is to avoid detection by antivirus software.
QBot Malware New Campaign
Starting as a simple backdoor malware, the QBot (also known as Qakbot) malware has gradually grown into a sophisticated payload dropper today [1, 2, 3, 4], serving major botnet and ransomware gangs throughout the world.
Since it’s the first point of hit into victim’s machines, the QBot developers came up with a new technique to exploit them. And it’s through Windows 7 Calculator app – exploiting its unchecked side-loading support.
As detailed by ProxyLife, a security researcher, the campaign starts with a phishing email carrying an HTML file – asking the user to open it to access some important information. And when an unsuspecting user does, the click downloads a password-protected zip file – wherein the purported information is stored.
#Qakbot – obama200 – html > .zip > .iso > .lnk > calc.exe > .dll > .dll
T1574 – DLL Search Order Hijacking
cmd.exe /q /c calc.exe
regsvr32 /s C:UsersUserAppDataLocalTempWindowsCodecs.dll
regsvr32.exe 102755.dllhttps://t.co/2Vgg6cuRFh
IOC'shttps://t.co/e7hkNW8eQu pic.twitter.com/sCH1xagkyR
— proxylife (@pr0xylife) July 11, 2022
The zip file is password-protected since antivirus software can’t reach them to scan. But it’s the actual culprit, says Cyble researchers, since containing QBot malware and other malicious files. It contains an ISO file – which in turn contains a .LNK file, a copy of ‘calc.exe’, and two DLL files – WindowsCodecs.dll and a payload named 7533.dll.
Clicking the shortcut files triggers the installation of Calc.exe via Command Prompt. In this process, the calculator app is supposed to load a legitimate WindowsCodecs DLL file from a deep system folder, which is what the QBot hackers replace with a malicious one.
Since Windows 7 Calculator app doesn’t check the file before loading, the hackers are leveraging this blind side-loading functionality to load their QBot malware into the system. Although, this kind of spoofing DLL files in Windows 10 and 11 calculator apps isn’t possible, making the hacker target only Windows 7 users.
