Threat actors have to find a way to get their malware onto your systems – phishing emails is an obvious method – Qakbot malware is the next step. This malware also known as Qbot, has been found to be to be intermediate software used by threat actors to infect victim’s systems with ransomware. The Qakbot malware is initially installed, using and involved techniques, that are designed to avoid detection, starting with an .html attachment downloading a password protected .zip file that contains the malware.
The use of the password protected .zip file – which the threat actors provide for the victim to use – is a common social engineering technique as it has been proven to elevate the trust of the malicious email.
Once the package has been activated, it’s attack vector is to use it’s copy of calc.exe – Windows Calculator – to execute the Qakbot attack. From there it is a short step to the ransomware attack.
One interesting point is that the latest version of calc.exe renders this attack useless, so package includes a Windows 7 version of calc.exe.
QBot phishing uses Windows Calculator sideloading to infect devices (bleepingcomputer.com)
Clive Catton MSc (Cyber Security) – by-line and other articles
