Security News > 2023 > May > QBot malware abuses Windows WordPad EXE to infect devices
The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software.
Windows applications will prioritize DLLs in the same folder as the executable, loading them before all others.
DLL hijacking is when a threat actor creates a malicious DLL of the same name as a legitimate one, and places it in the early Windows search path, usually the same folder as the executable.
Security researcher and Cryptolaemus member ProxyLife told BleepingComputer that a new QBot phishing campaign began abusing a DLL hijacking vulnerability in the Windows 10 WordPad executable, write.
Exe is launched, it automatically attempts to load a legitimate DLL file called edputil.
Exe so it is loaded instead. Once the DLL is loaded, ProxyLife told BleepingComputer that the malware uses C:Windowssystem32curl.
News URL
Related news
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)