The Windows Calculator is being used by the operators of QBot malware to side-load the malicious payload on infected computers. This common attack is known as DLL side-loading. It takes advantage of Dynamic Link Libraries (DLLs) and how they are handled in Windows by spoofing a legitimate DLL and placing it in a folder from where the OS loads it instead of a legitimate one. The malware, also known as QakBot, started as a banking trojan but evolved into a malware dropper and is used to drop Cobalt Strike beacons. Security researcher ProxyLife recently discovered that QakBot has been abusing the Windows 7 Calculator app for DLL side-loading attacks since at least July 11.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security