Windows Control Panel executable bug leveraged in new QBot phishing attacks

Threat actors have been exploiting a DLL hijacking vulnerability in the Windows 10 Control Panel executable in new phishing attacks deploying the QBot malware, also known as QakBot, reports BleepingComputer. Stolen reply-chain emails are being leveraged by attackers in the new phishing campaign that involves HTML file delivery, with the file enabling the download of an ISO file-containing password-protected ZIP archive, according to a report from ProxyLife. Within the ISO file are the Windows 10 Control Panel executable "control.exe," a Windows Shortcut file, and two DLL files, one of which is the QBot malware and the edputil.dll being used for DLL hijacking. Launching control.exe would prompt attempted loading of the real edputil.dll DLL but the malicious DLL is loaded instead due to it being in the same location as control.exe. QBot malware will then be installed by the malicious DLL and malware installation through a trusted program may help avert detection by security systems, said researchers.