Computers are evolving every day with new security and privacy measures to protect your system from malware. But so are pirates. Now attackers have found a new way to infect the Windows PC with malware, and they do it with the windows calculator.
The QBotComment Where QakbotComment malware group has found a new way to distribute malicious code to systems. According to a report by Bleeping Computer, attackers use the Windows Calculator app to load malicious code onto systems. They do this using DLL sideloading, one of the common attack methods.
How does the malware “attack” your PC?
Sideloading DLLs takes advantage of the Dynamic link libraries (DLL) handler process in Windows system. Attackers use the method to mimic an actual DLL, which is then moved to a folder where the operating system loads it as an authorized DLL.
The QBot malware, initially a banking software Trojanhas now evolved into a malware distribution platform actively used by ransomware gangs.
The attackers used the Windows 7 Calculator app to sideload the DLL. The method has been used in malicious spam campaigns. The malware is said to have been infecting PCs since July 11 this year.
The malware spreads via email with an HTML attachment and a password-protected ZIP archive. The ZIP file is locked behind a password to avoid virus protection. The attackers place an ISO file in the ZIP archive containing a .LNK copy of “calculator.exe” (Windows calculator) and two DLL files – WindowsCodecs.dll and 7533.dll (the malicious payload).
Once the user mounts the ISO file, a shortcut is executed related to the Windows Calculator application and then the Qbot malware infiltrates the system using the command prompt. Using Calculator app which is a trusted program makes the malware quite effective as it runs in plain sight even with the antivirus software installed on the system.
However, the malware is ineffective with newer Windows 10 or 11 systems. Attackers cannot use DLL sideloading techniques on newer iterations of Windows, but users running Windows 7 or earlier should beware of spam before opening them.