"QBot Phishing Abuses Windows Control Panel EXE to Infect Devices"

Phishing emails distributing the QBot malware are infecting computers by exploiting a Dynamic-Link Library (DLL) hijacking flaw in the Windows 10 Control Panel, most likely to avoid detection by security software. DLL hijacking is a common attack technique that exploits the way DLLs are loaded in Windows. When a Windows executable is launched, it searches the Windows search path for any DLL dependencies. However, if a threat actor creates a malicious DLL with the same name as one of the program's required DLLs and places it in the same folder as the executable, the program will load that malicious DLL instead of the required DLL, infecting the computer. QBot, also known as Qakbot, is a Windows malware that began as a banking Trojan but has since evolved into a full-fledged malware dropper. The malware is also used by ransomware gangs such as Black Basta, Egregor, and Prolock to gain initial access to corporate networks. In July, a security researcher discovered that threat actors were installing the QBot malware by exploiting a DLL hijacking vulnerability in the Windows 7 Calculator. According to the security researcher ProxyLife, attackers have switched to exploiting a DLL hijacking flaw in the Windows 10 Control Panel executable. Since QBot is installed through a trusted program, such as the Windows 10 Control Panel, security software may not flag the malware as malicious, thus allowing it to avoid detection. QBot will now run in the background, quietly stealing emails for use in phishing attacks and downloading additional payloads like Brute Ratel or Cobalt Strike. Threat actors use Brute Ratel and Cobalt Strike post-exploitation toolkits to gain remote access to corporate networks. This remote access is typically used to steal corporate data and launch ransomware attacks. This article continues to discuss phishing emails distributing the QBot malware that use a DLL hijacking flaw in the Windows 10 Control Panel to infect computers.

Bleeping Computer reports "QBot Phishing Abuses Windows Control Panel EXE to Infect Devices"

Submitted by Anonymous on