DLL hijacking is an attack method used by threat actors to take advantage of the way Windows loads dynamic link libraries (DLLs).
During the launch of a Windows executable, it will look for any DLL dependencies present in the Windows search path. The program would instead load a malicious DLL and infect the computer if a threat actor creates a malicious DLL with the same name as one of the program's necessary DLLs and retained it in the same folder as the executable.
QBot, also known as Qakbot, is a Windows malware that was initially a banking trojan but later emerged as a full-featured malware dropper. The malware is also utilized by renowned ransomware gangs like Black Basta, Egregor, and Prolock in order to gain initial access to corporate networks.
In July, security researcher ProxyLife found that threat actors were using the Windows 7 Calculator's DLL hijacking vulnerability, in order to spread the QBot malware.
Meanwhile this week, ProxyLife reported that the threat actors have switched to utilizing a DLL hijacking flaw in the Windows10 Control Panel executable, namely control.exe.
Abusing the Windows Control Panel:
In a phishing campaign witnessed by ProxyLife, the hackers used stolen reply- chain emails to distribute an HTML file attachment, which downloads a password-protected ZIP archive consisting an ISO file inside.
The HTML file, named similar to 'RNP_[number]_[number].html, displays an image personating Google Drive and a password for a ZIP archive that is downloaded automatically. This ZIP archive consists of an ISO disk image that, when double-clicked will automatically be displayed in a new drive letter in Windows10 and later.
This ISO file contains a Windows Shortcut (.LNK) file, a ‘control.exe’ (Windows 10 Control Panel) executable, and two DLL files named edputil.dll (used for DLL hijack) and msoffice32.dll (QBot malware).
The Windows shortcut (.LNK) included in the ISO uses an icon that attempts to make it look like a genuine folder.
The shortcut, however, opens the Windows 10 Control Panel executable, control.exe, which is kept in the ISO file, when a user tries to open this fabricated folder.
The genuine edputil.dll DLL, which is placed in the C:WindowsSystem32 folder, will automatically be loaded when control.exe is opened. It does not, however, look for the DLL in specific folders and will load any DLL with the same name that is put in the same folder as the program control.exe.
As the hackers are bundling a malicious edputil.dil DLL in the same folder as control.exe, instead the fraudulent DLL will be loaded by the users. Once the malicious edputil.dll DLL is loaded, it infects the device with the QBot malware (msoffice32.dll) using the regsvr32.exe msoffice32.dll command.
Security software may not recognize QBot as malicious if it is installed using a trustworthy tool, such as the Windows 10 Control Panel, allowing the malware to avoid detection.
QBot will now covertly run in the background, accessing and stealing emails to use them later for the phishing attacks and install additional payloads like Brute Ratel or Cobalt Strike, that are post-exploitations toolkits that hackers use to acquire remote access to corporate networks. This remote access further leads to corporate data theft and ransomware attacks.
