QBot Malware Using Windows Calculator to Deploy Payload on Infected Computers

By using Windows Calculator, the QBot malware operators are able to side-load their malicious payload onto the computers that are compromised. In short, Windows Calculator is being used to distribute dangerous code.

A method of attack known as DLL side-loading is a form of attack that is frequently used in Windows in order to exploit the way Dynamic Link Libraries (DLLs) are regulated. 

A spoof DLL is created by assuming the identity of a legitimate DLL, placing the false DLL in an operating system directory, and using the false DLL instead of the real one to load it.

QBot (aka Qakbot) is originally a banking trojan but evolved into a malware dropper as it evolved into a more persistent malware strain attacking Windows systems. 

Infection Chain

When ransomware gangs launch their attack, Cobalt Strike beacons are the first step in the attack, which is a process carried out by this malware.

Currently, the Windows 7 Calculator app has been being exploited by QBot in order to carry out DLL side-loading attacks since July 11. Malspam campaigns are still using this method in order to send spam.

A new infection chain of QBot has been reported by researchers at Cyble to assist defenders in protecting against this new threat.

The latest campaign used emails with the attachment of an HTML file in them. This HTML file attachment downloads a password-protected ZIP archive containing an ISO file that is attached to emails used in the latest campaign. 

An HTML file included with the ZIP file contains a password that can be used to open the ZIP file. It is intended to evade detection by antivirus software by locking the archive.

There are several things included in the ISO, and here below we have mentioned them all:- 

• A .lnk file
• A legitimate calc .exe
• WindowsCodecs.dll
• 7533.dll

Upon mounting the ISO file, the user is only able to see the .LNK file that is in the ISO file. This malicious file was disguised to look like a PDF file or a Microsoft Edge browser document that contained important information.

In the properties dialog for the files, the shortcut points to Windows’ Calculator application. When you click the shortcut, a command prompt window will open and you will be prompted to run the Calc.exe file.

A legitimate WindowsCodecs DLL file is automatically searched for on the first launch and attempted to be loaded by Windows 7 Calculator when it is loaded.

Recommendations

Windows 10 Calc.exe and later no longer support the DLL side loading security flaw. That’s why the threat actors target the Windows 7 version. Here are the mitigations recommended by the security analysts:-

• Emails sent by unknown or irrelevant senders should not be opened.
• It is advisable not to download pirated software from unreliable sources.
• Passwords should be strong and unique.
• A multi-factor authentication system should be implemented.
• After certain intervals, be sure to update your passwords to keep them up to date.
• Always use reliable and robust anti-virus software and tools.
• Make sure you verify the authenticity of any links or attachments that you receive in emails before opening them.
• Make sure that any URLs that may be used for spreading the malware, such as torrents and warez, are blocked.
• To prevent data exfiltration by malware or Trojans at the network level, you should monitor the beacon.
• Provide your employees with a Data Loss Prevention (DLP) solution that protects their data from harm.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.