One of thethe most widespread banks now uses the calculator to infect the that work with Windows. baptized it is a bank detected for the first time in 2009, and which has evolved a lot since then. In particular, it can record keystrokes and fly and banking information.
The attack seems to be quite targeted since it uses the thread hijacking, which relies on a compromised email account. It picks up threads found in the inbox and replies to them with the malware as an attachment. The victim therefore receives an e-mail from a known sender following an exchange.
The technique relies on a series of files nested inside each other like Russian dolls. The victim receives an email with an attachment in the format(Web page). Once opened, it downloads (. ), displays an error message pretending to have an error opening a PDF file and asks to open the downloaded file using a password. The latter makes it possible to avoid detection by the who will not be able to analyze the content.
Misuse of the calculator
The compressed folder contains a filewhich, when opened, is mounted by the system as a CD-ROM. It contains a shortcut (.lnk) whose has been modified to look like a PDF document or web page. It also contains three hidden files: a quite ordinary copy of the calculator (calc.exe) and two , WindowsCodecs.dll and a second one with a random number. In the analyzed example, it is 7533.dll.
From here hackers use a technique called sideloading (or sideloading), which involves going through a legitimate program to load infected files. In this case, the malware is contained in the 7533.dll file. Unless you have enabled the display of hidden files, the victim only sees the shortcut that pretends to be a document. By opening it, it launches the copy of calc.exe which will load system elements, including WindowsCodecs.dll. Normally, the latter is a legitimate file in the Windows folders, but the calculator checks its local folder first, and therefore loads the modified version that was downloaded first.
#Qakbot – obama201 – html > .zip > .iso > .lnk > calc.exe > .dll > .dll
T1574 – DLL Search Order Hijacking
cmd.exe /q /c calc.exe
regsvr32 /s C:\Users\User\AppData\Local\Temp\WindowsCodecs.dll
— proxylife (@pr0xylife) July 14, 2022
A malware that can hide another
Finally, the modified DLL file makes it possible to use the calculator to launch the registry editor (regsvr32.exe) in order to load the latest file (7533.dll) which contains the Qbot malware. This can then infect the Windows file explorer (explorer.exe) and steal information. Moreover, Qbot is not only a banking Trojan. Over the years, this malware has also received, i.e. it can be used to install other malware. It has already been used to implant RansomExx, Maze, ProLock, Egregor or Black Basta.
This attack does not work with the calculator, having already rectified this flaw. However, the downloaded file contains the calculator version of which allows this technique to be used to infect newer versions of Windows. To avoid this attack, follow the usual recommendations: check that your antivirus is up to date, and never open an attachment if you don’t know what it is, even if you know the sender.