The Qakbot malware has been spotted abusing the Windows 7 Calculator app for attacks, according to Cyble Research Labs. ("Gray electronic calculator buttons" by Horia Varlan is licensed under CC BY 2.0.)During a routine threat-hunting exercise, researchers last week came across a Twitter post in which a researcher shared new indicators-of-compromise (IOCs) related to the Qakbot malware, aka QBot.The tweet by threat researchers ProxyLife said that Qakbot has abused the Windows 7 Calculator app for DLL sideloading attacks since at least July 11.In a blog post by Cyble Research Labs, the researchers explained that Qakbot uses a mass-spamming email campaign to steal credentials from the victim’s system and uses them to make money. Along with the financial impact, these attacks can also lead to incidences of fraud and identity theft for any victim of Qakbot malware.
Qakbot operates as a Windows malware strain that started as a banking trojan, but evolved into a malware dropper. The researchers say it’s often used by ransomware gangs in the early stages of an attack to drop Cobalt Strike beacons.Using DLL sideloading to bypass endpoint protection has been a well-known technique for several years, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said what’s notable here with this latest QBot malware campaign is that the first stage runs as a phishing attack, and the second relies on the Windows 7 Calculator application. For the first point, Parkin said it puts the emphasis back on the need for user education.“While good anti-phishing-spam-malware tools for email can reduce the risk, it ultimately comes down to the users knowing when not to open an attachment,” Parkin said. “This attack relies on them not only opening the attachment, but using a provided password to decrypt it, which users really should know better than to do. They don’t, unfortunately, which is the problem. The second part relies on the Windows 7 version of calc, as the Windows 10 version is not vulnerable. Seeing that Windows 7 was end-of-life almost two-and-a-half years ago, this highlights the need to retire obsolete operating systems and applications.”Saryu Nayyar, founder and chief executive officer at Gurucul, added that bad threat actors continue to leverage email attacks to spark the initial compromise from which they can execute the core of their attack campaign. Nayyar said once the user accidentally clicks on a link, the full malware gets executed and this opens up systems for well-known tools like Cobalt Strike.“The reality is the QBot Malware goes undetected by many current SIEMs and even XDR tools based on masking itself as legitimate .DLL,” Nayyar said. “However, neither QBot nor Cobalt Strike are new tools. This shows that organizations need to invest in better security analytics, including a mature set of behavioral analytics, that can detect unusual activity and not just known attacks that have been modified as a new variant."
New BrowserVenom malware spread via DeepSeek spoofing Numerous computers across Mexico, Brazil, Cuba, India, Nepal, Egypt, and South Africa have been compromised with the novel BrowserVenom malware in a phishing campaign involving the impersonation of Chinese artificial intelligence platform DeepSeek-R1, reports The Register.
More than 20,000 information-stealing malware-linked IP addresses and domains were disrupted, while 41 servers underpinning infostealer operations were sequestered between January and April as part of the Interpol-led global law enforcement effort Operation Secure, according to BleepingComputer.
Malware-as-a-service platform Danabot had operational information over the past three years exposed by a command-and-control infrastructure vulnerability, potentially aiding in its disruption as part of the ongoing international law enforcement effort Operation Endgame, according to Cyber Security News.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
