QBot Malware Exploits Windows WordPad EXE

QBot malware, a notorious threat that has evolved from a banking trojan to a malware dropper. It has came to revelation that a new technique to infect computers. This time, it abuses a DLL hijacking vulnerability in the Windows 10 WordPad program. By utilizing the legitimate WordPad executable, QBot aims to evade detection by the security software. It makes its malicious activities harder to detect and mitigate.

Understanding DLL hijacking & QBot malware exploitation

DLL with the same name as a legitimate one and places it in the early Windows search path. It usually the same folder as the executable. When the executable get launch, instead of loading the genuine DLL, it unwittingly loads the malware DLL. It executes its malicious commands. QBot has cleverly employed this technique to advance its infiltration strategy.

QBot’s approach to DLL hijacking

According to security researcher, a new QBot phishing campaign has recently stole headlines. It is for exploiting the DLL hijacking vulnerability found in the Windows 10 WordPad executable, write.exe. While BleepingComputer has not examine the original phishing emails. It reveals that they contain a link that leads to a file download.

A random named ZIP archive from a remote host is downloaded upon clicking the link. This ZIP file comprises two essential components: document.exe (the Windows 10 WordPad executable) and a DLL file named edputil.dll, which is used for the DLL hijack. The document.exe file is a renamed copy of the legitimate Write.exe executable, a commonly used program to launch the Windows 10 WordPad document editor.

When document.exe is launched, it automatically attempts to load the authentic edputil.dll from the C:\Windows\System32 folder. However, it fails to verify the DLL’s location. It inadvertently loads any DLL with the same name found in the same folder as the document.exe executable. This critical oversight allows threat actors to implement DLL hijacking by creating a malicious version of the edputil.dll DLL and placing it in the same folder as document.exe, ensuring its execution instead of the legitimate DLL.

Successful DLL hijacking

Once the malicious DLL is successfully loaded, ProxyLife disclosed that the QBot malware utilizes C:\Windows\system32\curl.exe to download a DLL disguised as a PNG file from a remote host. To execute this PNG file (DLL), the malware employs rundll32.exe with the following command: rundll32 c:\users\public\default.png,print.

Although the QBot operation has shifted to other infection methods in recent weeks, it is not uncommon for them to revert to previous tactics in subsequent campaigns. This highlights the need for continuous vigilance and proactive security measures to protect against evolving threats like QBot.

Risk mitigation against QBot malware

To mitigate the risk posed by QBot and similar malware, users, and organizations must adopt several best practices:

  • Keep software and operating systems updated: Regularly applying security patches and updates help protect against known vulnerabilities that malware like QBot exploits.
  • Exercise caution with email attachments and downloads: Be wary of unexpected or suspicious email attachments, especially if they prompt you to enable macros or run executable files. Verify the legitimacy of the sender and the content before opening or downloading any files.
  • Implement robust security software: Deploy reputable antivirus and anti-malware solutions that provide real-time scanning and threat detection capabilities. Regularly update these security tools to ensure they can identify and block the latest threats.
  • Educate users about phishing attacks: Phishing is commonly used to deliver malware. Teach users how to recognize phishing emails, avoid clicking on suspicious links. Also report any suspicious emails to the appropriate IT personnel.
  • Enable firewalls and intrusion detection systems: Firewalls act as a barrier. It is between your network and potential threats, while intrusion detection systems monitor network traffic. It is for suspicious activity and potential breaches.
  • Implement strong password policies: Encourage users to create unique and complex passwords for their accounts. Consider implementing multi-factor authentication. It will add an extra cushion of security.
  • Regularly back up critical data: Regularly backup important files and data to ensure they can be easily restored during ransomware attacks or other data loss incidents.

Following these preventive measures and staying informed about emerging threats like QBot, users and organizations can enhance their overall security posture and reduce the risk of falling victim to such malware attacks.

Conclusion – QBot malware

The QBot malware has evolved and adapted its tactics by exploiting a DLL hijacking vulnerability in the Windows 10 WordPad program. Using the legitimate WordPad executable, QBot aims to circumvent detection and carry out its malicious activities. Individuals and organizations must stay proactive in implementing security measures, maintaining up-to-date software. Also for fostering a security-conscious culture to effectively combat evolving threats like QBot and safeguard their digital environment.