Shulou(Shulou.com)11/24 Report--

CTOnews.com, May 28, according to a report by foreign science and technology media BleepingComputer, security experts and Cryptolaemus member ProxyLife discovered a new QBot phishing activity, abused the WordPad executable write.exe in the Win10 system and spread through DLL hijacking vulnerabilities.

QBot, also known as Qakbot, is a form of Windows malware. QBot first appeared as a bank Trojan and then evolved into a malware dispenser.

Security experts have identified blackmail software gangs such as Black Basta,Egregor and Prolock that use the malware to launch extortion attacks on a number of corporate networks.

After the victim clicks the link, he downloads a randomly named ZIP zip file from the remote host. This document contains document.exe and an DLL file named edputil.dll (for DLL hijacking).

CTOnews.com attaches a screenshot here. Looking at the document.exe attribute, you can see that it is a renamed version of the legal WordPad file Write.exe.

When document.exe starts, it automatically attempts to load a legitimate DLL file named edputil.dll, which is usually located in the C:\ Windows\ System32 folder.

When the executable tries to load edputil.dll, the problem edputil.dll file under the same file path takes precedence.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.