Phishing emails distributing the QBot malware are using a DLL hijacking flaw in the Windows 10 Control Panel to infect computers, likely as an attempt to evade detection by security software.
DLL hijacking is a common attack method that takes advantage of how Dynamic Link Libraries (DLLs) are loaded in Windows.
When a Windows executable is launched, it will search for any DLL dependencies in the Windows search path. However, if a threat actor creates a malicious DLL using the same name as one of the program’s required DLLs and stores it in the same folder as the executable, the program would load that malicious DLL instead and infect the computer.
QBot, also known as Qakbot, is a Windows malware that started as a banking trojan but evolved into a full-featured malware dropper. Ransomware gangs, including Black Basta, Egregor, and Prolock, also use the malware to gain initial access to corporate networks.
In July, security researcher ProxyLife discovered that threat actors were exploiting a DLL hijacking vulnerability in the Windows 7 Calculator to install the QBot malware.
This week, ProxyLife told BleepingComputer that attackers have switched to using a DLL hijacking flaw in the Windows 10 Control Panel executable, control.exe.