Calculator, one of the most basic (and most useful) Windows tools, is being abused to load malware onto target endpoints, researchers have found.
ProxyLife experts discovered the Windows calculator tool can be used to infect the device with Qbot, a known malware dropper used to deliver Cobalt Strike beacons on targeted devices, which is often the first step in a ransomware attack.
As usual, the attack starts with a phishing attempt. The threat actor will mail the victim, attaching an HTML file that, in turn, downloads a password-protected .ZIP archive. Being password-protected helps the payload avoid detection from antivirus programs. Extracting the .ZIP archive shows an .ISO file, a digital file format replicating a physical CD, DVD, or BD. Mounting the .ISO brings forth four files: two .DLL files (one of which is the Qbot malware), one shortcut (posing as the file the victim is supposed to open), and the calculator program (calc.exe).
Running malicious DLLs
The shortcut does nothing more than bring up the calculator, but here’s the fun part: when the calculator starts, it will look for .DLL files needed to properly run. It won’t look for them in specific folders, but rather first and foremost - in the same folder as the calc.exe. Which brings us back to the two .DLL files that the victim downloaded together with the Calculator.
Running the calculator will trigger the first .DLL file, and that one will trigger the second, or in this case - the Qbot malware.
The practice is also known as DLL side-loading.
It is also worth mentioning that this attack does not work on Windows 10, or Windows 11, but works on Windows 7, which is why the threat actors bundle the Windows 7 version. The campaign has been active since July 11, and apparently, is still active at press time.
- These are the best firewall services right now
Via: BleepingComputer
