Security News > 2022 > July > QBot phishing uses Windows Calculator sideloading to infect devices

QBot phishing uses Windows Calculator sideloading to infect devices
2022-07-24 15:18

The operators of the QBot malware have been using the Windows Calculator to side-load the malicious payload on infected computers.

Security researcher ProxyLife recently discovered that Qakbot, has been abusing the the Windows 7 Calculator app for DLL side-loading attacks since at least July 11.

The shortcut points to the Calculator app in Windows, as seen in the properties dialog for the files.

When loaded, the Windows 7 Calculator automatically searches for and attempts to load the legitimate WindowsCodecs DLL file.

By installing QBot through a trusted program like the Windows Calculator, some security software may not detect the malware when it is loaded, allowing the threat actors to evade detection.

It should be noted, that this DLL sideloading flaw no longer works in Windows 10 Calc.exe and later, which is why the threat actors bundle the Windows 7 version.


News URL

https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/