One of the most beloved Windows tools could actually be a huge security risk

Representational image depecting cybersecurity protection

(Image credit: Shutterstock)

Calculator, one of the most basic (and most useful) Windows tools, is being abused to load malware onto target endpoints, researchers have found.

ProxyLife experts discovered the Windows calculator tool can be used to infect the device with Qbot, a known malware dropper used to deliver Cobalt Strike beacons on targeted devices, which is often the first step in a ransomware attack.

As usual, the attack starts with a phishing attempt. The threat actor will mail the victim, attaching an HTML file that, in turn, downloads a password-protected .ZIP archive. Being password-protected helps the payload avoid detection from antivirus programs. Extracting the .ZIP archive shows an .ISO file, a digital file format replicating a physical CD, DVD, or BD. Mounting the .ISO brings forth four files: two .DLL files (one of which is the Qbot malware), one shortcut (posing as the file the victim is supposed to open), and the calculator program (calc.exe).

Running malicious DLLs

The shortcut does nothing more than bring up the calculator, but here’s the fun part: when the calculator starts, it will look for .DLL files needed to properly run. It won’t look for them in specific folders, but rather first and foremost - in the same folder as the calc.exe. Which brings us back to the two .DLL files that the victim downloaded together with the Calculator.

> Hackers abusing this perfectly innocent Windows 10 feature to infect machines

> New phishing campaign targeting US tax return payers ahead of 2021 deadline

> Here's our take for the best secure email providers right now

Running the calculator will trigger the first .DLL file, and that one will trigger the second, or in this case - the Qbot malware.

The practice is also known as DLL side-loading.

It is also worth mentioning that this attack does not work on Windows 10, or Windows 11, but works on Windows 7, which is why the threat actors bundle the Windows 7 version. The campaign has been active since July 11, and apparently, is still active at press time.

These are the best firewall services right now

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.