Project Hyphae
Search

Qakbot Learns Calc

Share This Post

A recent malware campaign reported by Cyble shows evolving phishing methods used to deploy Qakbot malware. The attack uses recently observed methods to perform a DLL side-loading attack, exploiting a vulnerable Windows 7 calculator executable in order to deliver the Qakbot payload.

While the use of .html files and attachments aren’t new to phishing, attackers seem to be having success circumventing security measures using these techniques. Utilizing a password protected .zip file that contains a .iso, attackers are able to trick victims into clicking .lnk files which point to malicious payloads hidden within the .iso images.

In this particular attack, a legitimate (but vulnerable) Windows 7 calc.exe masquerades as a document. When the victim opens this file, a chain of events unfolds in where a malicious .dll is called and ultimately the Qakbot payload is downloaded on the victims machine. Cyble has a very good write up of it, included in the link below.

So what can we do? Ultimately the advice is the same. Educate users not open unexpected attachments and be sure to report anything that looks off. Be sure all endpoint systems are protected and be sure to have network monitoring, and logging in place. Also make sure to develop your Incident Response Plans and Playbooks so you know specifically how to react and contain an incident, using the tools in your environment.



Reach out to our incident response team for help

More To Explore

Information Security News 3-25-2024

Developer Sues Minnesota Contractor After $735K Payment Disappears Article Link: https://www.constructiondive.com/news/beck-sues-ryan-fsa-title-cybercrime/710708/ Truck-to-Truck Worm Could Infect and Disrupt Entire US Commercial Fleet Article Link: https://www.theregister.com/2024/03/22/boffins_tucktotruck_worm/ NIST’s

Information Security News 3-18-2024

Threat Actors Leaked 70 Million Records Allegedly Stolen From AT&T Article Link: https://securityaffairs.com/160627/data-breach/70m-att-records-leaked.html Former Telecom Manager Admits to Doing SIM Swaps for $1,000 Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.