Windows Calculator is actively being abused to sideload Qbot, a known malware dropper. Calculator is one of the most basic—and most used—tools in Windows, and now researchers have found it is being used to infect target machines once attackers are given the opportunity to call upon system resources. The attack chain observed in active use by the researchers only works on Windows 7, though similar mechanisms may be used for more recent versions of the operating system.
Researcher at ProxyLife discovered that the Windows Calculator tool can be leveraged to deploy Qbot, a known malware dropper used to install Cobalt Strike beacons on victims’ systems; Cobalt Strike is a tool which is often utilized to initiate a ransomware attack.
Most often, this attack chain begins with a phishing email, by which the threat actor sends the potential victims a message with an HTML file attached. The HTML file then downloads a password-protected .ZIP archive from a system being used as the attacker’s tool repository. Because the .zip file is password-protected it will oftentimes receive approval for delivery even by threat detection solutions. When the archive contents are extracted, the .ISO file (a file format replicating a physical CD, DVD, or BD) can be mounted by the attacker’s code, releasing four files. The four files include two .DLL files—one of which is the Qbot malware—as well as one shortcut which appears to be a file the victim should open and then the Windows Calculator program itself (calc.exe).
The shortcut simply opens the Calculator executable, but the calculator program’s default behavior when it starts is to check for .DLL files it needs to be able to run. By default, the program always checks the same folder in which its executable exists on the system, so one of the two .DLL files delivered with the calc.exe file is going to be triggered by the innocent calculator application.
The first .DLL file acts as a trigger for the second, which is actually the Qbot malware disguised as an innocuous code library; this is known as “DLL side-loading.”
To reiterate, this attack does not work with more recent versions of the Windows operating system, which is why threat actors have been observed bundling the Windows 7 version of calc.exe. However, it has been confirmed by researchers that the campaign is currently active and has been since July 11, 2022.