Threat Actors Leveraging DLL-SideLoading to Deliver Malware
During a routine threat-hunting exercise, Cyble Research Labs came across a Twitter post wherein a researcher shared new IoCs related to the infamous Qakbot malware.
For initial infection, Qakbot uses an email mass spamming campaign. The Qakbot Threat Actors (TAs) have continuously evolved their infection techniques ever since it was initially identified in the wild.
In this campaign, the spam email contains a password-protected zip file which contains an ISO file. When mounted, this ISO file shows a .lnk file masquerading as a PDF file. If the victim opens the .lnk file, the system is infected with Qakbot malware. The figure below shows the Qakbot’s infection chain.
The initial infection of Qakbot starts with a malicious spam campaign that contains various themes to lure the users into opening the attachments.
In this campaign, the spam email contains an HTML file that has base64 encoded images and a password-protected ZIP file, as shown below.
After opening the HTML file, it will automatically drop the password-protected zip file in the Downloads location. In our sample, the zip file is named “Report Jul 14 47787.zip.” The zip password is mentioned in the HTML, as shown below.
Upon opening the zip file using the password, it extracts another file from the folder containing an ISO image file named “Report Jul 14 47787.iso”. The ISO file contains four different files:
- a .lnk file
- a legitimate calc .exe
The figure below shows the details of extracted files.
If the user executes the ISO file, it mounts the ISO to a drive and shows only the .lnk file to the user. In this case, the .lnk file is named “Report Jul 14 4778.lnk” andmasquerades as a PDF file.
The property of the .lnk file shows that it executes calc.exe present in the ISO file. The figure below shows the .lnk file.
DLL sideloading is a technique used by TAs to execute malicious code using legitimation applications. In this technique, TAs place legitimate applications and malicious .dll files together in a common directory.
The malicious .dll file name is the same as a legitimate file loaded by the application during execution. The attacker leverages this trick and executes the malicious .dll file.
In this case, the application is calc.exe, and the malicious file named WindowsCodecs.dll masquerades as a support file for calc.exe.
Upon executing the calc.exe, it further loads WindowsCodec.dll and executes the final Qakbot payload using regsvr32.exe. The final payload injects its malicious code into explorer.exe and performs all the malicious activities.
The figure below shows the execution process tree of Qakbot.
The TAs behind Qakbot are highly active and are continuously evolving their methods to increase their efficacy and impact.
Qakbot steals credentials from the victim’s system and uses them for the TA’s financial gain. Apart from the direct financial impact, this can also lead to incidences of fraud, identity theft, and other consequences for any victim of Qakbot malware.
Cyble Research Labs is monitoring the activity of Qakbot and will continue to inform our readers about any updates promptly.
- Do not open emails from unknown or irrelevant senders.
- Avoid downloading pirated software from unverified sites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Keep updating your passwords after certain intervals.
- Use reputed anti-virus solutions and internet security software packages on your connected devices, including PCs, laptops, and mobile devices.
- Avoid opening untrusted links and email attachments without first verifying their authenticity.
- Block URLs that could use to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Défense Evasion||T1574.002||Hijack Execution Flow: DLL Side-Loading|
|Défense Evasion||T1055||Process Injection|
Indicator Of Compromise (IOCs)
|Report Jul 14 47787.html|
|Report Jul 14 47787.zip|
|Report Jul 14 47787.iso|