Beware of this virus that hides in the Windows calculator

Beware of this virus that hides in the Windows calculator

You will also be interested


[EN VIDÉO] What is a cyberattack?
With the development of the Internet and the cloud, cyberattacks are becoming more frequent and sophisticated. Who is behind these attacks and for what purpose? What are the methods of hackers and what are the most massive cyberattacks?

One of the malware the most widespread banks now uses the calculator to infect the computers that work with Windows. baptized Qbot or Qakbotit is a Trojan horse bank detected for the first time in 2009, and which has evolved a lot since then. In particular, it can record keystrokes keyboard and fly Passwords and banking information.

The attack seems to be quite targeted since it uses the thread hijacking, which relies on a compromised email account. It picks up threads found in the inbox and replies to them with the malware as an attachment. The victim therefore receives an e-mail from a known sender following an exchange.

The technique relies on a series of files nested inside each other like Russian dolls. The victim receives an email with an attachment in the format HTML (Web page). Once opened, it downloads a compressed folder (.ZIP), displays an error message pretending to have an error opening a PDF file and asks to open the downloaded file using a password. The latter makes it possible to avoid detection by theanti-virus who will not be able to analyze the content.

Misuse of the calculator

The compressed folder contains a file ISO which, when opened, is mounted by the system as a CD-ROM. It contains a shortcut (.lnk) whoseicon has been modified to look like a PDF document or web page. It also contains three hidden files: a quite ordinary copy of the calculator (calc.exe) and two DLL files, WindowsCodecs.dll and a second one with a random number. In the analyzed example, it is 7533.dll.

From here hackers use a technique called sideloading (or sideloading), which involves going through a legitimate program to load infected files. In this case, the malware is contained in the 7533.dll file. Unless you have enabled the display of hidden files, the victim only sees the shortcut that pretends to be a document. By opening it, it launches the copy of calc.exe which will load system elements, including WindowsCodecs.dll. Normally, the latter is a legitimate file in the Windows folders, but the calculator checks its local folder first, and therefore loads the modified version that was downloaded first.

A malware that can hide another

Finally, the modified DLL file makes it possible to use the calculator to launch the registry editor (regsvr32.exe) in order to load the latest file (7533.dll) which contains the Qbot malware. This can then infect the Windows file explorer (explorer.exe) and steal information. Moreover, Qbot is not only a banking Trojan. Over the years, this malware has also received a function of drop, i.e. it can be used to install other malware. It has already been used to implant RansomExx, Maze, ProLock, Egregor or Black Basta.

This attack does not work with the calculator Windows 10 and 11, Microsoft having already rectified this flaw. However, the downloaded file contains the calculator version of Windows 7 which allows this technique to be used to infect newer versions of Windows. To avoid this attack, follow the usual recommendations: check that your antivirus is up to date, and never open an attachment if you don’t know what it is, even if you know the sender.

Interested in what you just read?

fs1