The QBot malware has started leveraging a DLL hijacking vulnerability in the Windows 10 WordPad program to infect computers. By using the legitimate WordPad program, the malware can evade detection by security software.
DLL hijacking involves creating a malicious DLL with the same name as a legitimate one and placing it in the early Windows search path, tricking the program into loading and executing the malicious commands within it.
QBot, also known as Qakbot, is a Windows malware that initially targeted banking credentials but has evolved into a malware dropper. Ransomware groups such as Black Basta, Egregor, and Prolock have collaborated with QBot to gain initial access to corporate networks for extortion attacks. In a recent phishing campaign, QBot abused a DLL hijacking vulnerability in the Windows 10 WordPad executable.
The malicious emails contained a link to download a ZIP file that included a disguised DLL file and a renamed copy of the WordPad executable.
When the compromised WordPad executable is launched, it attempts to load the malicious DLL instead of the legitimate one, leading to the execution of the malware’s commands. The malware then uses the curl.exe program to download a DLL camouflaged as a PNG file, which is executed to install QBot.
Once installed, QBot operates silently in the background, stealing emails for further phishing attacks and downloading additional payloads like Cobalt Strike for network infiltration and data theft.
By exploiting a trusted program like WordPad, QBot aims to bypass security software detection. However, this particular infection method only works on Windows 10 and later versions, as earlier versions lack the Curl program.
While the QBot operation has moved on to other infection methods, they may resort to previous tactics in future campaigns. It highlights the importance of maintaining up-to-date security measures to protect against DLL hijacking and similar malware attacks.
