1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • One of the most beloved Windows tools could actually be a huge se

    From TechnologyDaily@1337:1/100 to All on Mon Jul 25 16:15:04 2022
    One of the most beloved Windows tools could actually be a huge security risk

    Date:
    Mon, 25 Jul 2022 15:01:49 +0000

    Description:
    Windows calculator being abused to sideload Qbot in some versions, experts find.

    FULL STORY ======================================================================

    Calculator, one of the most basic (and most useful) Windows tools, is being abused to load malware onto target endpoints , researchers have found.

    ProxyLife experts discovered the Windows calculator tool can be used to
    infect the device with Qbot, a known malware dropper used to deliver Cobalt Strike beacons on targeted devices, which is often the first step in a ransomware attack.

    As usual, the attack starts with a phishing attempt. The threat actor will mail the victim, attaching an HTML file that, in turn, downloads a password-protected .ZIP archive. Being password-protected helps the payload avoid detection from antivirus programs. Extracting the .ZIP archive shows an .ISO file, a digital file format replicating a physical CD, DVD, or BD. Mounting the .ISO brings forth four files: two .DLL files (one of which is
    the Qbot malware), one shortcut (posing as the file the victim is supposed to open), and the calculator program (calc.exe). Running malicious DLLs

    The shortcut does nothing more than bring up the calculator, but heres the
    fun part: when the calculator starts, it will look for .DLL files needed to properly run. It wont look for them in specific folders, but rather first and foremost - in the same folder as the calc.exe. Which brings us back to the
    two .DLL files that the victim downloaded together with the Calculator. Read more

    Hackers abusing this perfectly innocent Windows 10 feature to infect
    machines


    New phishing campaign targeting US tax return payers ahead of 2021
    deadline


    Here's our take for the best secure email providers right now

    Running the calculator will trigger the first .DLL file, and that one will trigger the second, or in this case - the Qbot malware.

    The practice is also known as DLL side-loading.

    It is also worth mentioning that this attack does not work on Windows 10, or Windows 11 , but works on Windows 7, which is why the threat actors bundle
    the Windows 7 version. The campaign has been active since July 11, and apparently, is still active at press time. These are the best firewall services right now

    Via: BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/one-of-the-most-beloved-windows-tools-could-act ually-be-a-huge-security-risk/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)