Hackers have begun abusing a flaw within the WordPad textual content editor that comes preloaded with the Home windows 10 working system to distribute the Qbot malware, researchers have claimed.

A cybersecurity researcher and a member of Cryptolaemus, going by the alias ProxyLife found a brand new e mail marketing campaign by which hackers are distributing the WordPad program along with a malicious .DLL.

When WordPad is launched, it’ll search for sure .DLL recordsdata it wants with a purpose to correctly run. First, it’ll search for the recordsdata in the identical folder it resides, and if it finds them – it’ll robotically run them, even when these .DLL recordsdata are malicious.

DLL hijacking

The follow is normally referred to as “DLL sideloading” or “DLL hijacking” and it’s a identified methodology. Beforehand, hackers had been seen utilizing the Calculator app to do the identical factor.

On this explicit occasion, when WordPad runs the DLL, the malicious file will use an executable referred to as Curl.exe (discovered within the System32 folder) to obtain a DLL pretending to be a PNG. That DLL is definitely Qbot, an historical banking trojan that may steal emails to make use of in additional phishing assaults, and provoke the obtain of extra malware, similar to Cobalt Strike, for instance. 

By utilizing official packages, similar to WordPad, or Calculator, to run the malicious DLL recordsdata, risk actors are hoping to bypass any antivirus packages and stay stealthy in the course of the assault. 

Nonetheless, as this methodology requires Curl.exe for use, it solely works on Home windows 10 and newer variations, as earlier variations didn’t have this program preinstalled. That doesn’t do a lot good as older variations are principally reaching finish of help anyway, and customers are shifting in direction of Home windows 10 and Home windows 11. 

Proper now, BleepingComputer stories, the QBot operation has moved on to different an infection strategies in current weeks.

• Here is our checklist of the very best endpoint safety software program round

Through: BleepingComputer