Skip to main content

This new malware hijacks Windows WordPad to avoid detection

Web Hosting & Remote IT Support

Hackers have begun abusing a flaw in the WordPad text editor that comes preloaded with the Windows 10 operating system to distribute the Qbot malware, researchers have claimed.

A cybersecurity researcher and a member of Cryptolaemus, going by the alias ProxyLife discovered a new email campaign in which hackers are distributing the WordPad program together with a malicious .DLL.

When WordPad is launched, it will look for certain .DLL files it needs in order to properly run. First, it will look for the files in the same folder it resides, and if it finds them - it will automatically run them, even if those .DLL files are malicious.

DLL hijacking

The practice is usually called “DLL sideloading” or “DLL hijacking” and it’s a known method. Previously, hackers were seen using the Calculator app to do the same thing.

In this particular instance, when WordPad runs the DLL, the malicious file will use an executable called Curl.exe (found in the System32 folder) to download a DLL pretending to be a PNG. That DLL is actually Qbot, an ancient banking trojan that can steal emails to use in more phishing attacks, and initiate the download of additional malware, such as Cobalt Strike, for example. 

Read more

> Qbot malware found smuggled inside Windows Installer packages

 > This powerful email malware attack uses PDF and WSF files to break your defenses

 > These are the best firewalls around

By using legitimate programs, such as WordPad, or Calculator, to run the malicious DLL files, threat actors are hoping to bypass any antivirus programs and remain stealthy during the attack. 

However, as this method requires Curl.exe to be used, it only works on Windows 10 and newer versions, as previous versions did not have this program preinstalled. That doesn’t do much good as older versions are mostly reaching end of support anyway, and users are moving towards Windows 10 and Windows 11. 

Right now, BleepingComputer reports, the QBot operation has moved on to other infection methods in recent weeks.

Via: BleepingComputer



via Hosting & Support
Labels:

Comments

Post a Comment

Web Hosting
Remote IT Support
Sites & Socials
Computing Handbook - $9.95

Popular posts from this blog

This new malware campaign can hijack your Gmail or Outlook email account

Web Hosting & Remote IT Support Cybersecurity researchers from Cisco Talos have spotted a new hacking campaign they claim is targeting victims’ sensitive data, login credentials, and email inboxes. Horabot is described as a botnet that has been active for almost two and a half years now (first spotted in November 2020). During that time, it’s mostly been tasked with distributing a banking trojan and spam malware .  Its operators seem to be located in Brazil, while its victims are Spanish-speaking users located mostly in Mexico, Uruguay, Venezuela Brazil, Panama, Argentina, and Guatemala. Horabot botnet The victims are found in different industries, from investment firms to wholesale distribution, from construction to engineering, and accounting. The attack starts with an email message carrying a malicious HTML attachment. Ultimately, the victim is urged to download a .RAR archive, which holds the banking trojan.  The malware is capable of doing plenty of things: stealing l
Post a Comment
Read more

Want to store 1PB of data in the cloud? This startup can do it for you for as little as $10,000 a month — Qumulo says it can scale to Exabytes off premise and wants to eradicate tapes once and for all

Web Hosting & Remote IT Support Qumulo has launched Azure Native Qumulo Cold (ANQ Cold), which it claims is the first truly cloud-native, fully managed SaaS solution for storing and retrieving infrequently accessed “cold” file data. Fully POSIX-compliant and positioned as an on-premises alternative to tape storage, ANQ Cold can be used as a standalone file service, a backup target for any file store, including on-premises legacy scale-out NAS, and it can be integrated into a hybrid storage infrastructure, enabling access to remote data as if it were local. It can also scale to an exabyte-level file system in a single namespace. “ANQ Cold is an industry game changer for economically storing and retrieving cold file data,” said Ryan Farris, VP of Product at Qumulo. “To put this in perspective with a common use case, hospital IT administrators in charge of PACS archival data can use ANQ Cold for the long-term retention of DICOM images at a fraction of their current on-premises leg
Post a Comment
Read more

No light without dark : making the most of ‘shadow IT’

Web Hosting & Remote IT Support In the last few decades, technology has created a modern digital workforce that is technically skilled and adept at finding innovative solutions that would help them succeed at work. However, with 95% of employees struggling with digital friction in the workplace - including a lack of access to the right tools - ambitious employees who are hungry for results have often needed to explore fixes outside the scope of existing systems provided by their employers. On top of that, the popularity of cloud-based apps has resulted in business processes often ending up fragmented across various systems, requiring workers to devote time to manual maintenance. This has accelerated the spread of (the unnecessarily ominous sounding) ‘shadow IT’, or applications that savvy workers use without official authorization to help them bypass limitations and get work done. In a perfect world, a balance can be struck between giving these technically skilled workers freed
Post a Comment
Read more