The Windows Calculator is being used by the operators of QBot malware to side-load the malicious payload on infected computers. This common attack is known as DLL side-loading. It takes advantage of Dynamic Link Libraries (DLLs) and how they are handled in Windows by spoofing a legitimate DLL and placing it in a folder from where the OS loads it instead of a legitimate one. The malware, also known as QakBot, started as a banking trojan but evolved into a malware dropper and is used to drop Cobalt Strike beacons. Security researcher ProxyLife recently discovered that QakBot has been abusing the Windows 7 Calculator app for DLL side-loading attacks since at least July 11.
To help defend against this threat, the latest QBot infection chain has been documented. Emails used in the most recent campaign carry an HTML file attachment that downloads a password-protected zip archive. The password for opening the ZIP file is shown in the HTML file. Inside the archive is an ISO file which contains a .LNK file, a copy of calc.exe, and two DLL files. When the ISO file is mounted, it displays the .LNK file which is disguised as a PDF holding important information. Clicking this shortcut triggers the infection by executing this spoofed calc.exe through the Command Prompt. When loaded, the application searches for and attempts to load the legitimate Window Codecs DLL file. However, it does not check for the DLL in certain hard coded paths, so it will load any DLL with the same name in the same folder as the executable. Threat actors are taking advantage of this flaw to launch the QBot malware. It should be noted that this sideloading flaw no longer works in Windows 10 and later, which is why Windows 7 is the main target.