QBot Now Spreads Via Windows Calculator

What is side-loading?

• DLL side-loading is a common type of attack that takes advantage of how DLLs are managed in Windows.
• It entails creating a fake version of a valid DLL file and storing it in a folder where the operating system will load it instead of the real file.

Why Windows Calculator?

• Malicious actors avoid detection by installing the QBot malware in trusted apps such as the Windows Calculator. Another advantage is that QBot frequently avoids detection by security tools.
• Furthermore, threat actors use Windows 7 because the DDL sideloading vulnerability is no longer exploitable in Windows 10 Calc.exe and later versions.

How the attack unfolds?

• To avoid antivirus detection, the password for opening the ZIP file is displayed in the HTML file.
• The ISO file contains two DLL files - the payload 7533.dll and WindowsCodecs.dll, as well as the Windows calculator app calc.exe.
• When a user installs this ISO file, the.LNK file is displayed, which presents itself as a PDF containing important data or a file that opens in the Microsoft Edge browser.
• When the file is opened, users are directed to the Windows Calculator app. Clicking the app causes the infection to be activated on their devices via Command Prompt.
• When Windows 7 Calculator is launched, it searches for and attempts to load the genuine WindowsCodecs DLL file.
• However, the Calculator does not look for the DLL in certain hard-coded paths and will load any DLL with the same name if it is in the same folder as the Calc.exe executable.

How to avoid a QBot attack?

• It is recommended that users check to see if a file is legitimate before opening it.
• Users are advised to use multi-factor authentication, in addition to having a strong password and regularly updating their password.
• Using reputable anti-virus and internet security software on all connected devices.

Conclusion