A security researcher detailed a new QBot campaign in the wild, exploiting the legitimate Windows 7 Calculator app for side loading the malware in the target’s machine.
Starting off with a phishing email, the campaign asks the unsuspecting people to download the HTML files and corresponding ones within, which eventually drops QBot malware into the system. And the usage of Windows calculator is to avoid detection by antivirus software.
QBot Malware New Campaign
Starting as a simple backdoor malware, the QBot (also known as Qakbot) malware has gradually grown into a sophisticated payload dropper today [ 1 , 2 , 3 , 4 ], serving major botnet and ransomware gangs throughout the world.
Since it’s the first point of hit into victim’s machines, the QBot developers came up with a new technique to exploit them. And it’s through Windows 7 Calculator app – exploiting its unchecked side-loading support.
As detailed by ProxyLife , a security researcher, the campaign starts with a phishing email carrying an HTML file – asking the user to open it to access some important information. And when an unsuspecting user does, the click downloads a password-protected zip file – wherein the purported information is stored.
#Qakbot – obama200 – html > .zip > .iso > .lnk > calc.exe > .dll > .dll T1574 – DLL Search Order Hijacking cmd.exe /q /c calc.exe regsvr32 /s C:UsersUserAppDataLocalTempWindowsCodecs.dll regsvr32.exe 102755.dll https://t.co/2Vgg6cuRFh IOC’s https://t.co/e7hkNW8eQu pic.twitter.com/sCH1xagkyR — proxylife (@pr0xylife) July 11, 2022
