A recent malware campaign reported by Cyble shows evolving phishing methods used to deploy Qakbot malware. The attack uses recently observed methods to perform a DLL side-loading attack, exploiting a vulnerable Windows 7 calculator executable in order to deliver the Qakbot payload.
While the use of .html files and attachments aren’t new to phishing, attackers seem to be having success circumventing security measures using these techniques. Utilizing a password protected .zip file that contains a .iso, attackers are able to trick victims into clicking .lnk files which point to malicious payloads hidden within the .iso images.
In this particular attack, a legitimate (but vulnerable) Windows 7 calc.exe masquerades as a document. When the victim opens this file, a chain of events unfolds in where a malicious .dll is called and ultimately the Qakbot payload is downloaded on the victims machine. Cyble has a very good write up of it, included in the link below.
So what can we do? Ultimately the advice is the same. Educate users not open unexpected attachments and be sure to report anything that looks off. Be sure all endpoint systems are protected and be sure to have network monitoring, and logging in place. Also make sure to develop your Incident Response Plans and Playbooks so you know specifically how to react and contain an incident, using the tools in your environment.
- https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/
- https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/
