According to researcher “ProxyLife” on Twitter, QBot malware, aka QakBot, has been exploiting the Windows 7 Calculator app since at least 11 July 2022.

QBot malware (aka QakBot) is targeting devices using Windows OS in a rather unconventional manner. Security researcher ProxyLife reported that hackers are infecting Windows PCs with QBot malware, and the malicious code is distributed via Windows Calculator.

The researcher noted that infecting PCs this way can also make it easier for cyber crooks to launch malspam (malicious spam) campaigns.

Windows Calculator App Distributing Malware

QBot malware has been exploiting the Windows 7 Calculator app since at least 11 July 2022. The app is exploited for DLL side-loading hacks. It is a typical form of attack in which a hacker exploits the Dynamic Link Libraries by creating a fake version of the legit DLL file.

This file is stored in a folder and loaded in place of the original file by the system. Since Calculator is a trusted program in the Windows system, the security software fails to detect the malware so that the malicious malware can evade detection.

What is QBot?

For your information, QBot is a Windows malware strain. It surfaced as a banking trojan at first and not has become a preferred choice of ransomware gangs due to its constant evolution into a powerful malware distribution platform.

How does it Infect Windows Machines?

According to Bleeping Computer, the malware is deployed through emails in which it is hidden in an HTML file attachment. This attachment contains a password-protected ZIP archive with an ISO file containing a .LNK file.

According to the researcher, this file is a spoofed version of the Windows Calculator app’s file (calc.exe). Two DLL files are also present in the archive- WindowsCodecs.dll and 7533.dll, which contain the malicious payload.

When the email recipient opens the ISO file, it executes a .LNK shortcut linked to the Calculator app. When the victim opens the shortcut, the spoofed Calculator app opens, and the system gets infected with QBot malware via Command Prompt.

Image: ProxyLife (Twitter)

Who’s at Risk?

It is worth noting that hackers cannot exploit Windows 10 or 11 through DLL side-loading technique, and therefore, they can only target systems running Windows 7. All users of Windows 7 should be cautious of such suspicious emails and avoid opening enclosed ISO files.

  1. Beware of Fake Windows 11 Update Delivering Malware
  2. Beware of Fake Windows 11 Downloads Distributing Vidar Malware
  3. Kraken botnet bypass Windows Defender to steal crypto wallet data
  4. Fake Windows website dropped Redline malware as Windows 11 upgrade
  5. USB-based Wormable Raspberry Robin Malware Targeting Windows Installer