Elain Brown Tech 07.25.2022 01:Jul AM EDT

QBot Malware Takes Advantage of Windows Calculator to Infect Devices

Qbot malware now spreads through the Windows Calculator app.

The QBot malware has been infecting devices with Windows operating systems by masking itself as a legitimate app.

Qbot, also known as Qakbot, has been utilizing the Windows 7 Calculator software for DLL side-loading hacks since at least July 11.

The QBot malware's authors have been utilizing the Windows Calculator to side-load the malicious payload onto affected devices.

DLL side-loading is a prevalent form of attack that makes use of the way Dynamic Link Libraries (DLLs) are managed within Windows.

It involves creating a fake version of a valid DLL file and storing it in a folder from which the operating system will load it in place of the real file.

The QBot Malware Attack

The Qbot malware's emails in the recent attack deploy an HTML file attachment that downloads a password-protected ZIP archive containing an ISO file.

According to BleepingComputer, the ISO file contains two DLL files: a payload named 7533.dll and WindowsCodecs.dll, and the Windows calculator app named 'calc.exe'.

If a user installs this ISO file, it will display the .LNK file, which pretends itself as a PDF with important data or a file that opens in the Edge browser.

However, after opening the file, users will then be redirected to a Windows calculator app. Clicking the app then leads them to trigger the infection on their devices through the Command Prompt.

The Windows 7 Calculator then searches for and attempts to load the genuine WindowsCodecs DLL file.

As reported, "it does not check for the DLL in certain hard coded paths, and will load any DLL with the same name if placed in the same folder as the Calc.exe executable."

Malicious actors avoid detection through this strategy of installing the Qbot malware in trusted apps like the Windows Calculator. Another benefit of that is that it bypasses detection from security tools most of the time.

Furthermore, the reason threat actors use Windows 7 is that the vulnerability in the DDL sideloading is no longer exploitable in Windows 10 Calc.exe and later versions.

Recommendations To Avoid QBot

As reported by Cyble,the Qakbot malware is very active, and they are constantly adapting their strategies in order to make them more effective and have a greater influence.

This malware steals credentials and personal sensitive data from the victim's devices and then utilizes those credentials for the financial gain of the threat actors.

In addition to the immediate monetary impact, this may also result in instances of identity theft, fraud, and other repercussions for anyone whose computer was infected with the Qakbot software.

To avoid the attacks, users should avoid opening, clicking, or downloading any software or files from a suspicious and unknown sender, whether via email or websites.

It is recommended for users to verify if a file is legit before opening it. Next, it is highly recommended for users to use multi-factor authentication along with having a strong password as well as updating their password.

Lastly, using well-known and reputable anti-virus programs and internet security software on all of a user's linked devices, including desktop computers, laptops, and mobile gadgets, will help protect one's systems from malware attacks like this.