The QBot Malware Operators Use DLL Hijacking to Sideload Malicious Files in Windows Computers

Taking advantage of how Windows handles Dynamic Link Libraries (DLLs), attackers are creating a malicious version of DLLs required by the program and infecting victims’ computers. Read on to know how it happens and ways you can protect yourself.

QBot or Qakbot is a malware strain in Windows that began as a banking trojan and later evolved as a malware dropper. In the early stages of the attack, the malicious actors used it to drop Cobalt Strike beacons.

Recently, the ransomware gangs that operated the QBot malware started infecting computers by exploiting a DLL hijacking flaw in the Windows Calculator application. Besides infecting the system, the weakness also helps them evade detection from the security software.

Security researchers at ProxyLife discovered that since July 11, Qakbot was abusing the Windows 7 Calculator app to launch DLL hijacking attacks. Attackers keep using this method in various malspam campaigns. Before studying the modus operandi of the attack, let us first see what DLLs are.

What Are DLL Files?

Dynamic Link Library files, or DLL files, contain all the resources an application requires to run successfully. They include a library and images of executable functions. End-users cannot open the DLL files, and the associated application can only open them during the application’s start-up.

Windows systems need DLL files because it helps them understand how to use the resources, hard drive space, and the host computer memory more efficiently.

DLL files usually have a .dll extension, but some can have the .drv, .drov and .exe extension too. A single DLL file can run multiple programs so multiple programs can get compromised during a DLL hijacking attack.

Image sourced from cihansol.com

What is DLL Hijacking?

DLL hijacking is a method attackers use to inject malicious code into a Windows application. They achieve this by exploiting the vulnerabilities in Windows applications in the way they search and load DLLs (Dynamic Link Libraries). Only the systems running Microsoft OS are susceptible to DLL hijacking.

After the attackers replace a required DLL file with a malicious version and place it within the search parameters of the application, the application will call the infected file when it loads, activating its infectious operations.

If a DLL hijack needs to be successful, the victim must load the malicious DLL file from the targeted application’s directory. If applications that automatically load on start-up get compromised with an infected DLL file, malicious actors can access the infected computer whenever it restarts.

DLL hijacking is not a new cyberattack method and has been circulating since Windows 2000’s launch.

How Does the New QBot Infection Chain Work?

Researchers at ProxyLife and Cyble documented the latest QBot infection chain to assist users in mitigating the risk.

Attackers use electronic mail in the newest marketing campaign, including an HTML file attachment. If a user clicks on it, a password-protected ZIP file containing an ISO file is downloaded.
The HTML file contains the password to open the ZIP file. Malicious actors lock the file to avoid antivirus detection.
The ISO file includes a .LNK file and a duplicate ‘calc.exe’ (Windows Calculator). Additionally, it contains two DLL records data named payload 7533.dll and WindowsCodecs.dll.
When the victim mounts the ISO file, it will only display the .LNK file, which threat actors mask to appear like a PDF with vital info or a file that the user can open with the Microsoft Edge browser.
However, the shortcut opens the Calculator software on Windows.
After the user chooses the shortcut, it begins an infection chain by operating the Calc.exe using Command Prompt.
After loading, Windows 7 Calculator detects and attempts to load the original WindowsCodecs DLL file. However, it doesn’t use specific encoded paths to test DLLs, and if the DLL with an identical title is positioned in the same folder Calc.exe executable, it will load it.
The malicious actors exploit this vulnerability and create a malicious WindowsCodecs.dll file that will launch the other [numbered].dll file (QBot malware).
The antivirus will not detect it if the user installs the QBot malware using a trusted application (Windows Calculator).
It is worth noting that the flaw mentioned above does not work with Windows 10 Calc.exe and later. Hence, the attackers bundle the earlier Windows 7 version.

The QBot has been around for over a decade, with origins going back as early as 2009. While malicious actors did not carry out frequent campaigns to deliver it, they used the Emotet botnet for dropping ransomware payloads.

How to Prevent DLL Hijacking?

Software developers are the first line of defense against DLL hijacking attacks. They must follow secure coding practices and determine the exact directory for all associated DLL files. It will prevent Windows from executing its DLL search path protocol. Additional measures that organizations and individuals can take to prevent DLL hijacking are:

Keeping the antivirus software up-to-date: While some sophisticated supply chain attacks can skip detection, up-to-date antivirus software can detect and block malicious DLL injection attempts to an extent.
Educating the staff about social engineering and phishing warning signs: DLL hijacking is successful only if the attackers successfully introduce a malicious DLL file into the ecosystem. If the organization mitigates the possibility of injection, it can prevent DLL hijacks.
Restrict library loading: You can prevent remote DLLs from loading by enabling DLL-safe search mode. It restricts the system when searching for DLL files.
Execution prevention: Use robust application control solutions for identifying and blocking any potentially malicious software that gets executed through DLL search order hijacking.

Other best practices include:

Enforcing an accessible Information Security Policy.
Implementing multi-factor authentication.

Final Words

The QBot malware that started its journey as a banking trojan quickly evolved into a malware dropper for Cobalt Strike beacons. It is highly infectious and constantly adapts its strategies to gain a greater influence.

The malware steals personal data and credentials from victims for financial gain and may result in fraud, identity theft, and other consequences. Thus, organizations need to ensure they have robust protection from phishing by adopting adequate anti-phishing tools and providing relevant training to the employees, so they don’t accidentally compromise the organization’s critical information.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.