A vulnerability has been discovered in the WordPad text editor of Windows 10 and is being exploited by cyber criminals to spread the Qbot virus. This was reported by one of the community experts Cryptolaemus.
WordPad looks for DLL files it needs to run properly when it starts up. It starts looking for them in the folder where the program’s executable is located and if it finds them, it starts them automatically, even if they are malicious. This attack vector is called “loading” or “intercepting” a DLL – a fairly well-known and widespread practice: Previous attackers similarly exploited the “calculator” vulnerability in Windows.
When WordPad launches the malicious DLL, it in turn accesses the Curl.exe executable file from the System32 folder, which is used to load the malicious DLL that poses as a PNG image. In fact, this DLL turns out to be an ancient Qbot Trojan that intercepts emails, helps attackers with phishing attacks and initiates the download of other viruses such as Cobalt Strike.
The danger of this method for users is that it uses the resources of the legitimate WordPad program – there is a risk that the antivirus will not respond to it and the attack will go unnoticed. Another link of the attack is the Curl.exe utility, which is standard on Windows only from the tenth version.