A new phishing campaign has been distributing the QBot (aka Qakbot) malware. This campaign abuses a DLL hijacking flaw in the Windows Control Panel executable to infect devices.
How does it work?
ProxyLife recently discovered that the threat actors are using stolen reply-chain emails to distribute a malicious HTML file attachment. The file displays an image pretending to be Google Drive and downloads a password-protected ZIP archive automatically with an ISO file inside.
- This ISO file contains a Windows Shortcut (.LNK) file, a Windows 10 Control Panel executable (control.exe), and two DLL files named edputil.dll (used for DLL hijack) and msoffice32.dll (QBot malware).
- On double-clicking, the ISO disk image will automatically open in a new drive letter in Windows 10 and later. The .LNK file uses an icon that tries to make it look like a folder and when a user attempts to open this folder, the shortcut executes control.exe.
- The executable will automatically attempt to load the legitimate edputil.dll DLL, located in the same folder as control.exe.
Thus, the malicious DLL will be loaded instead while launching the Windows executable and it will infect the computer with the QBot (msoffice32.dll) using the regsvr32.exe msoffice32.dll command.
Post-infection activities
Installing QBot by abusing Windows trusted programs such as Windows 10 Control Panel prevents any red flags or security alarms, while QBot continues further activities.
- The malware quietly runs in the background, steals emails for use in phishing attacks, and downloads additional post-exploitation toolkits such as Brute Ratel or Cobalt Strike.
- These additional payloads are used to gain remote access to corporate networks that enable hackers to conduct data theft and ransomware attacks.
Conclusion
QBot started as a banking trojan and has evolved into a full-featured malware dropper. Moreover, it is not the first time that threat actors are using a trusted program to evade detection. In July, threat actors were found exploiting a DLL hijacking vulnerability in the Windows 7 Calculator to install the QBot malware. The use of trusted programs, low detection rates, and lateral movement capabilities make QBot a vicious threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/2a4e_shutterstock_318359564.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/90fe_shutterstock_1049458772.jpg)
