HQ/EMEAFind out how we can help your business
A new phishing campaign that exploits a DLL hijacking vulnerability has been spreading the QBot malware. Based on reports, this new campaign uses a hijacking method in the Windows Control Panel executable to compromise targeted devices.
The phishing operators use stolen reply-chain emails to disseminate an infected HTML file attachment. The archive portrays an image that pretends to be a Google Drive and downloads a password-protected ZIP file that contains an ISO file.
The ISO file includes a Windows Shortcut, which is an [.]lnk file, that is, a Windows 10 control Panel executable, and two DLL files called msoffice32[.]dll and edputil[.]dll. The msoffice32 is the QBot malware, and the edputil[.]dll is used by the adversaries for DLL hijacking.
Once a target accesses the file, the ISO disk image will automatically appear in a new drive letter in Windows that is in version 10 or newer. Subsequently, the lnk file will use an icon to make it seem like a folder that could lure a user into opening it, which could execute the control[.]exe.
In addition, the executable will try to load the legitimate edputil[.]dll, located inside the same folder with the control[.]exe.
Hence, the compromised DLL will be downloaded by the malware instead while deploying the Windows executable, and it will compromise the computer with the QBot via regsvr32[.]exe msoffice32[.]dll command.
The QBot malware became an elusive dropper since it could bypass security detections.
Installing QBot malware through Windows-based programs like the Windows 10 Control Panel prevents security detection from raising suspicions. Therefore, the malware could execute its activities.
Qbot will also operate quietly in the background, harvest emails for further phishing attacks, and download additional post-exploitation toolkits such as Cobalt Strike or Bruce Ratel. The operators will then use these payloads to acquire remote access to corporate networks, allowing hackers to execute ransomware attacks and data theft operations.
The QBot threat has become a malware dropper that evolved from a banking trojan. More and more actors have now used this malware since it could evade detection by exploiting trusted networks.
