Project Hyphae

Qakbot Learns Calc

Share This Post

A recent malware campaign reported by Cyble shows evolving phishing methods used to deploy Qakbot malware. The attack uses recently observed methods to perform a DLL side-loading attack, exploiting a vulnerable Windows 7 calculator executable in order to deliver the Qakbot payload.

While the use of .html files and attachments aren’t new to phishing, attackers seem to be having success circumventing security measures using these techniques. Utilizing a password protected .zip file that contains a .iso, attackers are able to trick victims into clicking .lnk files which point to malicious payloads hidden within the .iso images.

In this particular attack, a legitimate (but vulnerable) Windows 7 calc.exe masquerades as a document. When the victim opens this file, a chain of events unfolds in where a malicious .dll is called and ultimately the Qakbot payload is downloaded on the victims machine. Cyble has a very good write up of it, included in the link below.

So what can we do? Ultimately the advice is the same. Educate users not open unexpected attachments and be sure to report anything that looks off. Be sure all endpoint systems are protected and be sure to have network monitoring, and logging in place. Also make sure to develop your Incident Response Plans and Playbooks so you know specifically how to react and contain an incident, using the tools in your environment.

Reach out to our incident response team for help

More To Explore

Information Security News 5-20-2024

Wichita Cyber Attack: Social Security Numbers, Drivers Licenses, Payment Info Compromised Article Link: Cybercriminals Exploiting Microsoft’s Quick Assist Feature in Ransomware Attacks Article Link:

Information Security News 5-13-2024

Dell API Abused to Steal 49 Million Customer Records in Data Breach Article Link: Healthcare Giant Ascension Hacked, Hospitals Diverting Emergency Service Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.