Cybercriminals abuse the Windows 7 calculator to quietly execute malware dropper Qbot.

Security researcher ProxyLife discovered the method during an analysis of QBot, a malware dropper. Droppers open the door for ransomware attacks. Cybercriminals need a silent way to exchange data with a target device. A dropper is the first step.

Most professional security measures detect and block droppers. To function, droppers must remain under the radar. DLL sideloading is a common tactic. A hacker disguises malware files with a legitimate application to prevent the malware from triggering alerts. Qbot’s distributors opted for Windows 7 calculator.

Method

The attack starts with phishing. Victims click on an HTML file and download a .ZIP archive. The .ZIP archive contains an .ISO file. Victims are instructed to mount the .ISO file, which provides four files: two .DLLs, a shortcut and a calculator (calc.exe). Victims click on the shortcut and execute the calculator.

The Windows 7 calculator depends on a series of .DLLs. Hence, the application automatically searches for the required DLLs. The first search location is the calculator’s current folder. As a result, the calculator finds the malicious DLLs and unknowingly executes the dropper. Windows 7 security tools cannot distinguish the process from a calculator, allowing the dropper to proceed undisturbed.

Prevention

ProxyLife described the files and method on the website of security company Cyble. The details allow you to counter the dropper with firewalls and Windows policies. The method only works on Windows 7. Windows 10 and Windows 11 aren’t at risk.

Tip: Ransomware is an APT, so you should treat it as such