Project Hyphae

Qakbot Learns Calc

Share This Post

A recent malware campaign reported by Cyble shows evolving phishing methods used to deploy Qakbot malware. The attack uses recently observed methods to perform a DLL side-loading attack, exploiting a vulnerable Windows 7 calculator executable in order to deliver the Qakbot payload.

While the use of .html files and attachments aren’t new to phishing, attackers seem to be having success circumventing security measures using these techniques. Utilizing a password protected .zip file that contains a .iso, attackers are able to trick victims into clicking .lnk files which point to malicious payloads hidden within the .iso images.

In this particular attack, a legitimate (but vulnerable) Windows 7 calc.exe masquerades as a document. When the victim opens this file, a chain of events unfolds in where a malicious .dll is called and ultimately the Qakbot payload is downloaded on the victims machine. Cyble has a very good write up of it, included in the link below.

So what can we do? Ultimately the advice is the same. Educate users not open unexpected attachments and be sure to report anything that looks off. Be sure all endpoint systems are protected and be sure to have network monitoring, and logging in place. Also make sure to develop your Incident Response Plans and Playbooks so you know specifically how to react and contain an incident, using the tools in your environment.

Reach out to our incident response team for help

More To Explore

Information Security News 9-18-2023

Iranian Cyberspies Target Thousands of Organizations with Password Spray Attacks Article Link: Requests via Facebook Messenger Lead to Hijacked Business Accounts Article Link:

Information Security News 9-11-2023

University of Michigan Requires Password Resets After Cyberattack Article Link: Attackers Accessed UK Military Data Through High-Security Fencing Firm’s Windows 7 Rig Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.