QBot malware has a new way of infecting computers: it has been using the Windows Calculator to access computers that use Windows.

DLL sideloading is a common attack method that takes advantage of how libraries are handled dynamic link (DLL) in Windows. It consists of spoofing a legitimate DLL and placing it in a folder from which the operating system loads it instead of the legitimate one.

At the company of ProxyLife security research discovered that Qakbot, or Qbot, has been abusing the Windows 7 Calculator app for DLL sideloading attacks since at least July 11. Despite the discovery, it has not stopped. The method continues to be used in malspam campaigns.

Many years active always focused on Windows





QBot, also known as Qakbot is a strain of malware for Windows that started as a banking Trojan but evolved into a malware dropper. Qbot attacked Windows in 2007 for the first time that is known. When it infiltrates the system, it can gain access to user’s financial information as well as some sensitive details like password and email address.

From Genbeta we have already talked about how we can protect the equipment from this tireless malware, but it keeps evolving.

Now, according to new information, is used by ransomware gangs in the early stages of the attack to drop Cobalt Strike beacons. To help protect against this threat, ProxyLife and Cyble researchers have further explained how Qbot works in its latest known version. A person receives an email.

How Qbot infects computers via calculator

The emails used in the latest campaign have an attached HTML file that downloads a password-protected ZIP file with an ISO file inside. The password for open the ZIP file is displayed in the HTML fileand the reason for blocking the file is to evade antivirus detection.

The ISO contains a .LNK file, a copy of ‘calc.exe’ (Windows calculator), and two DLL files (WindowsCodecs.dll and a payload called 7533.dll, as far as researchers know). When the user mounts the ISO file, it only displays the .LNK file, which masquerades as a PDF or file that opens with the Microsoft Edge browser, as seen in the following screenshot shared by Bleeping Computer:





However, the shortcut points to the Calculator app in Windows. Clicking on the shortcut is when the infection is triggered by running Calc.exe via Command Prompt. When loaded, the Windows 7 calculator attempts to load the legitimate WindowsCodecs DLL file. However, it will load any DLL with the same name if it is placed in the same folder as the Calc.exe executable.

When installing QBot through a trusted program like Windows Calculator, some security software may not detect malware when loaded, allowing threat actors to evade antivirus. The good news is that this malware does not work on Windows 10 Calc.exe and later.