Threat Actors Leveraging DLL-SideLoading to Deliver Malware
During a routine threat-hunting exercise, Cyble Research Labs came across a Twitter post wherein a researcher shared new IoCs related to the infamous Qakbot malware.
For initial infection, Qakbot uses an email mass spamming campaign. The Qakbot Threat Actors (TAs) have continuously evolved their infection techniques ever since it was initially identified in the wild.
In this campaign, the spam email contains a password-protected zip file which contains an ISO file. When mounted, this ISO file shows a .lnk file masquerading as a PDF file. If the victim opens the .lnk file, the system is infected with Qakbot malware. The figure below shows the Qakbot’s infection chain.
Technical Analysis
The initial infection of Qakbot starts with a malicious spam campaign that contains various themes to lure the users into opening the attachments.
In this campaign, the spam email contains an HTML file that has base64 encoded images and a password-protected ZIP file, as shown below.
After opening the HTML file, it will automatically drop the password-protected zip file in the Downloads location. In our sample, the zip file is named “Report Jul 14 47787.zip.” The zip password is mentioned in the HTML, as shown below.
Upon opening the zip file using the password, it extracts another file from the folder containing an ISO image file named “Report Jul 14 47787.iso”. The ISO file contains four different files:
- a .lnk file
- a legitimate calc .exe
- WindowsCodecs.dll
- 7533.dll.
The figure below shows the details of extracted files.
If the user executes the ISO file, it mounts the ISO to a drive and shows only the .lnk file to the user. In this case, the .lnk file is named “Report Jul 14 4778.lnk” andmasquerades as a PDF file.
The property of the .lnk file shows that it executes calc.exe present in the ISO file. The figure below shows the .lnk file.
DLL Sideloading:
DLL sideloading is a technique used by TAs to execute malicious code using legitimation applications. In this technique, TAs place legitimate applications and malicious .dll files together in a common directory.
The malicious .dll file name is the same as a legitimate file loaded by the application during execution. The attacker leverages this trick and executes the malicious .dll file.
In this case, the application is calc.exe, and the malicious file named WindowsCodecs.dll masquerades as a support file for calc.exe.
Upon executing the calc.exe, it further loads WindowsCodec.dll and executes the final Qakbot payload using regsvr32.exe. The final payload injects its malicious code into explorer.exe and performs all the malicious activities.
The figure below shows the execution process tree of Qakbot.
Conclusion
The TAs behind Qakbot are highly active and are continuously evolving their methods to increase their efficacy and impact.
Qakbot steals credentials from the victim’s system and uses them for the TA’s financial gain. Apart from the direct financial impact, this can also lead to incidences of fraud, identity theft, and other consequences for any victim of Qakbot malware.
Cyble Research Labs is monitoring the activity of Qakbot and will continue to inform our readers about any updates promptly.
Our Recommendations
- Do not open emails from unknown or irrelevant senders.
- Avoid downloading pirated software from unverified sites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Keep updating your passwords after certain intervals.
- Use reputed anti-virus solutions and internet security software packages on your connected devices, including PCs, laptops, and mobile devices.
- Avoid opening untrusted links and email attachments without first verifying their authenticity.
- Block URLs that could use to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Défense Evasion | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Défense Evasion | T1055 | Process Injection |
Indicator Of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| d79ac5762e68b8f19146c78c85b72d5e 899c8c030a88ebcc0b3e8482fbfe31e59d095641 cb83a65a625a69bbae22d7dd87686dc2be8bd8a1f8bb40e318e20bc2a6c32a8e | MD5 SHA1 SHA256 | Report Jul 14 47787.html |
| a4a09d3d5905910ad2a207522dcec67c 8e7984a0af138aac5427b785e4385cdc6b9b8963 197ee022aa311568cd98fee15baf2ee1a2f10ab32a6123b481a04ead41e80eee | MD5 SHA1 SHA256 | Report Jul 14 47787.zip |
| b6cb21060e11c251ed52d92e83cbcf42 b2a3d6a620c050fd03f1e16649c6b5bfdc195089 9887e7a708b4fc3a91114f78ebfd8dcc2d5149fd9c3657872056ca3e5087626d | MD5 SHA1 SHA256 | Report Jul 14 47787.iso |
| 21930abbbb06588edf0240cc60302143 48bf9b838ecb90b8389a0c50b301acc32b44b53e 8760c4b4cc8fdcd144651d5ba02195d238950d3b70abd7d7e1e2d42b6bda9751 | MD5 SHA1 SHA256 | WindowsCodecs.dll |
| a8c071f4d69627f581fa15495218bff7 25beb06d731192ea20bc7eb0c81ae952f2a0bd33 c992296a35528b12b39052e8dedc74d42c6d96e5e63c0ac0ad9a5545ce4e8d7e | MD5 SHA1 SHA256 | 7533.dll |
