One of the most beloved Windows tools could actually be a huge security risk

Windows calculator being abused to sideload Qbot

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Calculator, one of the most basic (and most useful) Windows tools, is being abused to load malware onto targetendpoints, researchers have found.

ProxyLife experts discovered the Windows calculator tool can be used to infect the device with Qbot, a knownmalwaredropper used to deliver Cobalt Strike beacons on targeted devices, which is often the first step in aransomwareattack.

As usual, the attack starts with a phishing attempt. The threat actor will mail the victim, attaching an HTML file that, in turn, downloads a password-protected .ZIP archive. Being password-protected helps the payload avoid detection fromantivirusprograms. Extracting the .ZIP archive shows an .ISO file, a digital file format replicating a physical CD, DVD, or BD. Mounting the .ISO brings forth four files: two .DLL files (one of which is the Qbot malware), one shortcut (posing as the file the victim is supposed to open), and the calculator program (calc.exe).

Running malicious DLLs

The shortcut does nothing more than bring up the calculator, but here’s the fun part: when the calculator starts, it will look for .DLL files needed to properly run. It won’t look for them in specific folders, but rather first and foremost - in the same folder as the calc.exe. Which brings us back to the two .DLL files that the victim downloaded together with the Calculator.

Hackers abusing this perfectly innocent Windows 10 feature to infect machines>New phishing campaign targeting US tax return payers ahead of 2021 deadline>Here’s our take for the best secure email providers right now

Running the calculator will trigger the first .DLL file, and that one will trigger the second, or in this case - the Qbot malware.

The practice is also known as DLL side-loading.

It is also worth mentioning that this attack does not work onWindows 10, orWindows 11, but works on Windows 7, which is why the threat actors bundle the Windows 7 version. The campaign has been active since July 11, and apparently, is still active at press time.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)