# QBot phishing uses Windows Calculator DLL hijacking to infect devices **[bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/](https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/)** Bill Toulas By [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) July 24, 2022 11:18 AM 0 The operators of the QBot malware have been using a DLL hijacking flaw in Windows Calculator to infect computers, which also helps evade detection by security software. DLL hijacking is a common attack method that takes advantage of how Dynamic Link Libraries (DLLs) are handled in Windows. It consists of creating a malicious version of a legitimate DLL required by the program, and placing it early in the search order used to find a required DLL. This folder is commonly the same folder as the executable. When the executable is launched, it will find the malicious version with the same name in the same folder, loading that instead and infecting the computer. ----- QBot, also known as Qakbot is a Windows malware strain that started as a banking trojan but evolved into a malware dropper, and is used by [ransomware gangs in the early stages of](https://www.bleepingcomputer.com/news/security/qbot-now-pushes-black-basta-ransomware-in-bot-powered-attacks/) the attack to drop Cobalt Strike beacons. [Security researcher ProxyLife recently discovered that Qakbot, has been abusing the the](http://twitter.com/pr0xylife) Windows 7 Calculator app for DLL hijacking attacks since at least July 11. The method continues to be used in malspam campaigns. [#Qakbot - obama200 - html > .zip > .iso > .lnk > calc.exe > .dll > .dll](https://twitter.com/hashtag/Qakbot?src=hash&ref_src=twsrc%5Etfw) T1574 - DLL Search Order Hijacking cmd.exe /q /c calc.exe regsvr32 /s C:\Users\User\AppData\Local\Temp\WindowsCodecs.dll [regsvr32.exe 102755.dllhttps://t.co/2Vgg6cuRFh](https://t.co/2Vgg6cuRFh) [IOC'shttps://t.co/e7hkNW8eQu](https://t.co/e7hkNW8eQu) [pic.twitter.com/sCH1xagkyR](https://t.co/sCH1xagkyR) [— proxylife (@pr0xylife) July 11, 2022](https://twitter.com/pr0xylife/status/1546607135089430532?ref_src=twsrc%5Etfw) ## New QBot infection chain To help defenders protect against this threat, ProxyLife and researchers at [Cyble documented the latest QBot infection chain.](https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/) The emails used in the latest campaign carry an HTML file attachment that downloads a password-protected ZIP archive with an ISO file inside. The password for opening the ZIP file is shown in the HTML file, and the reason for locking the archive is to evade antivirus detection. ----- **HTML attachment on QBot spam emails** The ISO contains a .LNK file, a copy of 'calc.exe' (Windows Calculator), and two DLL files, namely WindowsCodecs.dll and a payload named 7533.dll. **ZIP archive contents** When the user mounts the ISO file, it only displays the .LNK file, which is masqueraded to look like a PDF holding important information or a file that opens with Microsoft Edge browser. However, the shortcut points to the Calculator app in Windows, as seen in the properties dialog for the files. ----- **Properties of the PDF file that triggers the infection** Clicking the shortcut triggers the infection by executing the Calc.exe through the Command Prompt. When loaded, the Windows 7 Calculator automatically searches for and attempts to load the legitimate WindowsCodecs DLL file. However, it does not check for the DLL in certain hard coded paths, and will load any DLL with the same name if placed in the same folder as the Calc.exe executable. The threat actors take advantage of this flaw by creating their own malicious WindowsCodecs.dll file that launches the other [numbered].dll file, which is the QBot malware. By installing QBot through a trusted program like the Windows Calculator, some security software may not detect the malware when it is loaded, allowing the threat actors to evade detection. It should be noted, that this DLL hijacking flaw no longer works in Windows 10 Calc.exe and later, which is why the threat actors bundle the Windows 7 version. QBot has been around for more than a decade, with origins going as far back as 2009 [[1,](https://www.symantec.com/security-center/writeup/2009-050707-0639-99?tabid=3) [2,](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FQakbot) [3,](http://contagiodump.blogspot.com/2010/11/template.html) [4]. While campaigns delivering it are not frequent, it was observed being distributed](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/80/qakbot-a-prevalent-infostealing-malware) by Emotet botnet in the past to drop ransomware payloads. ----- [Among the ransomware families that QBot delivered are RansomExx, Maze, ProLock,](https://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-with-qakbot-trojan-for-network-access/) [and Egregor. More recently, the malware dropped Black Basta ransomware.](https://www.bleepingcomputer.com/news/security/qbot-partners-with-egregor-ransomware-in-bot-fueled-attacks/) ### Related Articles: [Microsoft finds Raspberry Robin worm in hundreds of Windows networks](https://www.bleepingcomputer.com/news/security/microsoft-finds-raspberry-robin-worm-in-hundreds-of-windows-networks/) [Malicious Windows 'LNK' attacks made easy with new Quantum builder](https://www.bleepingcomputer.com/news/security/malicious-windows-lnk-attacks-made-easy-with-new-quantum-builder/) [Malicious PyPi packages turn Discord into password-stealing malware](https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-turn-discord-into-password-stealing-malware/) [New Windows PowerToys OCR tool will let you copy text from images](https://www.bleepingcomputer.com/news/microsoft/new-windows-powertoys-ocr-tool-will-let-you-copy-text-from-images/) [Malware devs already bypassed Android 13's new security feature](https://www.bleepingcomputer.com/news/security/malware-devs-already-bypassed-android-13s-new-security-feature/) [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives. -----