"QBot Phishing Uses Windows Calculator Sideloading to Infect Devices"

The QBot malware's operators have been using the Windows Calculator to side-load the malicious payload onto infected computers. DLL side-loading is a common attack method that takes advantage of how Windows handles Dynamic Link Libraries (DLLs). It involves spoofing a legitimate DLL and storing it in a folder where the operating system loads it instead of the legitimate one. QBot, also known as Qakbot, is a Windows malware strain that began as a banking Trojan but evolved into a malware dropper and is used by ransomware gangs in the early stages of an attack to drop Cobalt Strike beacons. ProxyLife, a security researcher, recently discovered that Qakbot has been abusing the Windows 7 Calculator app for DLL side-loading attacks since at least July 11. The method is still used in malspam campaigns. The emails used in the latest campaign include an HTML file attachment that downloads a password-protected ZIP archive containing an ISO file. The password for opening the ZIP file is displayed in the HTML file, and the reason for locking the archive is to avoid antivirus detection. When launched, the Windows 7 Calculator searches for and attempts to load the genuine WindowsCodecs DLL file. It does not look for the DLL in certain hard-coded paths, and will load any DLL with the same name if it is in the same folder as the Calc.exe executable. Threat actors exploit this flaw by writing their own malicious WindowsCodecs.dll file, which launches the other [numbered].dll file, which contains the QBot malware. This article continues to discuss the use of the Windows Calculator by QBot malware operators for side-loading.

Bleeping Computer reports "QBot Phishing Uses Windows Calculator Sideloading to Infect Devices"