A new QBot malware campaign is taking advantage of a DLL hijacking flaw in the utility application WordPad in order to avoid detection by security tools. Abusing legitimate Windows programs is becoming a popular trend among cybercriminals.
Abuse of campaign
A security expert and Cryptolaemus member ProxyLife claim that the new QBot phishing campaign abuses a DLL hijacking flaw in the WordPad executable, write[.]exe.
The campaign uses phishing emails containing a link to download a file. When a user clicks on the link, it downloads a randomly named ZIP archive from a remote host.
This ZIP file includes two files, document[.]exe (WordPad executable) and a DLL file, edputil[.]dll (for the DLL hijack). The document[.]exe is a renamed copy of the legitimate Write[.]exe.
Inside the attack
Whenever the document[.]exe is executed, it automatically tries to load a genuine DLL file edputil[.]dll, which is usually stored in the C:\Windows\System32 folder.
When the executable tries to load edputil[.]dll, it does check for it in the designated folder. The attacker uses a malicious version of edputil[.]dll DLL, keeping it in the same folder that is checked by the application.
Upon scan, when a malicious DLL is found, it loads the WinWord using this malicious DLL. Once the DLL is loaded, it uses curl[.]exe to download another DLL file disguised as a PNG file. This DLL file launches the QBot malware.
Post-infection procedure
QBot, while running in the background, steals emails for further phishing attacks, and downloads other payloads, such as Cobalt Strike - a post-exploitation toolkit used to gain initial access to the targeted system.
The infected system is then used to spread laterally throughout the network. Such access often leads to corporate data theft and ransomware attacks.
Conclusion
Operators of QBot malware are already known for their rapid switching of distribution methods, and abuse of Windows 10 WordPad executables corresponds to the same strategy. Furthermore, the use of legitimate Windows programs and lateral movement capabilities makes it a vicious threat.