QBot Malware Leveraging Windows Calculator to Compromise Devices

According to researcher “ProxyLife” on Twitter, the QBot malware, aka QakBot, has been exploiting the Windows 7 Calculator app since at least July 11, 2022.

The QBot (aka QakBot) malware targets devices using the Windows operating system in a rather unconventional way. security researcher ProxyLife reported that hackers are infecting Windows PCs with QBot malware, and the malicious code is being distributed through Windows Calculator.

The researcher noted that infecting PCs in this way can also make it easier for cyber crooks to launch malspam (malicious spam) campaigns.

Windows calculator app distributing malware

The QBot malware has been exploiting the Windows 7 Calculator app since at least July 11, 2022. The app is exploited for DLL sideloading hacks. This is a typical form of attack in which a hacker exploits dynamic link libraries by creating a fake version of the legitimate DLL file.

This file is stored in a folder and loaded instead of the original file by the system. Since the calculator is a trusted program in the Windows system, the security software fails to detect the malware so that the malicious malware can escape detection.

What is QBot?

For your information, QBot is a strain of Windows malware. It first surfaced as a banking trojan and has not become the preferred choice of ransomware gangs due to its steady evolution into a powerful malware distribution platform.

How does it infect Windows machines?

According to Bleeping Computer, the malware is deployed via emails in which it is hidden in an HTML attachment. This attachment contains a password protected ZIP archive with an ISO file containing a .LNK file.

According to the researcher, this file is a spoofed version of the Windows Calculator application file (calc.exe). Two DLL files are also present in the archive – WindowsCodecs.dll and 7533.dll, which contain the malicious payload.

When the email recipient opens the ISO file, it runs a .LNK shortcut related to the Calculator app. When the victim opens the shortcut, the spoofed calculator application opens and the system is infected with QBot malware through the command prompt.

Image: ProxyLife (Twitter)

Who is at risk?

It should be noted that hackers cannot exploit Windows 10 or 11 via DLL sideloading technique and hence they can only target systems running Windows 7. All Windows 7 users should beware of these suspicious emails and avoid opening attached ISO files.

  1. Beware of Fake Windows 11 Updates Delivering Malware
  2. Beware of Fake Windows 11 Downloads Distributing Vidar Malware
  3. Kraken botnet bypasses Windows Defender to steal crypto wallet data
  4. Fake Windows Website Dropped Redline Malware During Windows 11 Upgrade
  5. Wormable Raspberry Robin USB-Based Malware Targeting Windows Installer

Source link

Comments are closed.