Security researchers have identified new indicators of compromise for Qakbot malware, which now uses a new DLL sideloading infection technique that seeks to trick an official app into using a malicious DLL file.
Threats never stay the same, and hackers always look to improve their malware to stay ahead of security solutions. Evolving malware might change attack vectors or improve existing ones. In any case, it’s the main reason malware families endure.
The same goes for Qakbot, a malware strain known for of its role in large email spam campaigns. Its inner workings have been well documented, but it looks like its developers have made some changes. When security researcher proxylife and Cyble took a closer look at one of the latest spam email campaigns carrying this malware strain, they noticed something new.
“In this campaign, the spam email contains a password-protected zip file which contains an ISO file,” explainedthe researchers. “When mounted, this ISO file shows a .lnk file masquerading as a PDF file. If the victim opens the .lnk file, the system is infected with Qakbot malware.”
The malware uses DLL sideloading, a technique that lets attackers trick apps into loading malicious .dll files with the same name as the legitimate one.
“In this case, the application is calc.exe, and the malicious file named WindowsCodecs.dll masquerades as a support file for calc.exe,” the researchers explained.
“Upon executing the calc.exe, it further loads WindowsCodec.dll and executes the final Qakbot payload using regsvr32.exe. The final payload injects its malicious code into explorer.exe and performs all the malicious activities.”
The primary purpose of the Qakbot is to steal credentials from infected systems, so the damage such malware can inflict is substantial.
Of course, as usual, we recommend not opening emails or attachments from unknown sources. Always have a security solution installed, such as Bitdefender Ultimate Security, that can prevent infections and other types of attacks.