Hackers have begun abusing a flaw in the WordPad text editor that comes preloaded with the Windows 10 operating system. Masterminded by a renowned Windows malware, QBot, it operates by hijacking the DLL, which is a library file containing functions that can be used by more than one program at the same time.
A cybersecurity researcher and a member of Cryptolaemus, going by the alias ProxyLife, discovered this malware currently distributed as a link attached to an email. When a person clicks on the link, it will download a random named ZIP archive from a remote host. The ZIP file contains two files: document.exe (the Windows 10 WordPad executable) and a DLL file named edputil.dll (used for the DLL hijack).
When document.exe is launched, it automatically attempts to load a legitimate DLL file called edputil.dll, which is normally located in the C:\Windows\System32 folder. When the executable attempts to load edputil.dll, it does not check for it in a specific folder and will load any DLL of the same name found in the same folder as the document.exe executable. The hackers capitalised on this feature to perform a DLL hijacking by creating a malicious version of the edputil.dll DLL and storing it in the same folder as document.exe to evade detection.
Once implemented, QBot will now quietly run in the background, stealing emails for use in further phishing attacks and eventually downloading other payloads, such as Cobalt Strike - a post-exploitation toolkit threat actors use to gain access to the infected device. This will then be used as a foothold to spread laterally throughout the network, necessitating data theft and ransomware attacks. The battle against threat actors is getting more interesting as new malware named steal has emerged from the darknet and is after your data.
To stay safe from the attack, security experts warn against clicking on an attached link whose sender is not verified. They include strengthening the system defence and likewise implementing AI security defence to mitigate the chances of being infected. Internet security is also strengthened with an hide VPN service and constant updating of your Windows to optimise your security against critical and zero-day threats.