Windows Calculator exploited by the QBot malware for sideloading attacks

July 27, 2022
Windows 7 Calculator Software Exploit QBot Malware Sideloading Cyberattacks

QBot malware operators have been abusing the Windows Calculator to execute a sideloading attack to distribute malicious payloads on targeted devices.

DLL sideloading campaign is an attack tactic that manipulates how the Dynamic Link Libraries are operated in Windows. The tactic includes impersonating DLL and keeping it in a folder from where the OS loads it instead of the authentic entity.

Qbot is a Windows malware variant that emerged as a banking trojan but has upgraded into a malware dropper. As of now, it is being utilised by ransomware groups in the initial stages of a campaign to drop Cobalt Strike beacons.

According to researchers, Qbot has been taking advantage of the Windows 7 Calculator application for DLL sideloading campaigns since the first weeks of July. Today, this method continues to be utilised in malware spam campaigns.

Based on reports, the emails utilised by the QBot operators in their recent campaign include an HTML file attachment that downloads a password-protected ZIP folder containing an ISO file.

 

Additionally, the ISO file contains an [.]LNK file and a copy of Windows Calculator plus two DLL files, coded as WindowsCodecs[.]dll and a payload called 7533[.]dll.

 

If a user mounts the ISO file, it will only portray the [.]LNK file, which impersonates a PDF that holds critical information or a file that is accessible through the MS Edge search engine. However, the file will not redirect the user to a browser; instead, it will point to the Windows Calculator application.

If the user clicks the shortcut, it activates the infection by initiating the Calc[.]exe via Command Prompt. After loading, the Windows 7 Calculator will immediately search for and try to load the paths and will load any DLL with the identical name if stored in the same folder as the executable.

The malware operators abuse this vulnerability by developing their malicious WindowsCodecs[.]dll file that deploys the other numbered dll file, the Qbot malware.

Other security software may not identify the malware when loaded, enabling the threat actors to bypass security solutions by installing the Qbot via Windows Calculator.

About the author

Leave a Reply