Qbot hackers exploiting Windows 10 Control Panel flaw
Kaspersky said last month that it had found more than 400 infected websites spreading the notorious banking Trojan
The operators of QBot malware are using a DLL hijacking flaw in the Windows 10 Control Panel to infect computers and avoid being detected by security software.
The notorious banking Trojan QBot, also known as Qakbot, is capable of stealing user data and emails from compromised corporate networks, propagating across the network, and installing ransomware or other Trojans on other devices therein.
This malware is also used by ransomware gangs including Black Basta, Egregor and Prolock to obtain early access to corporate networks.
Phishing tactics that use different lures, such as bogus invoices, payment and banking details, scanned documents, or bills, often cause victims to be infected with QBot.
QBot may also infect victims when they are already infected with another kind of malware.
Kaspersky said last month that it had found more than 400 infected websites spreading QBot so far.
Security researcher ProxyLife found in July that threat actors were using the Windows 7 Calculator's DLL hijacking vulnerability to install the QBot malware.
ProxyLife told BleepingComputer this week that hackers had switched to a new scheme that uses a DLL hijacking weakness in the control.exe executable of the Windows 10 Control Panel.
Threat actors often use DLL hijacking, which takes advantage of the way Windows loads dynamic link libraries (DLLs).
In a phishing campaign that ProxyLife came across, the threat actors used stolen reply-chain emails to disseminate an HTML file attachment. This attachment downloaded a password-protected ZIP achieve with an ISO file inside.
The HTML file, which has a name similar to "RNP [number] [number].html," shows an image pretending to be Google Drive and a password for a ZIP archive.
When double-clicked, the ISO disc image in this ZIP package will launch in a new drive letter on Windows 10 and subsequent versions of the operating system.
A Windows Shortcut (.LNK) file, the Windows 10 Control Panel programme (control.exe), and two DLL files msoffice32.dll (QBot malware) and edputil.dll (used for DLL hijack) are all included in this ISO file.
The icon for the Windows shortcut (.LNK) that is included in the ISO is designed to make it appear like a folder.
However, when a user tries to open this fake folder, the shortcut launches the executable file (control.exe) for the Windows 10 Control Panel, which is contained in the ISO file.
When control.exe is opened, it attempts to load the legitimate edputil.dll DLL, which is placed in the C:\Windows\System32 folder.
However, it does not look for the DLL in particular directories and will load any DLL with the same name that is put in the same location as the control.exe.
Because the threat actors are packaging a malicious version of edputil.dll as a DLL and placing it in the same location as control.exe, the malicious DLL is loaded instead.
Once loaded, the malicious edputil.dll DLL uses the regsvr32.exe msoffice32.dll command to infect the system with the QBot malware (msoffice32.dll).
Security software may not identify QBot as malicious since it is installed via a trusted programme like the Windows 10 Control Panel, thereby enabling the malware to avoid detection.
Now, QBot will covertly operate in the background, downloading extra payloads like Brute Ratel or Cobalt Strike and stealing emails for use in phishing attacks.