WordPad, a basic yet popular word processor, is the latest Windows app to fall victim to a vulnerability exploited by threat actors.
Bundled free with almost every version of Windows since Windows 95, WordPad has remained popular thanks to its simplicity. Less complex than Microsoft Word and more advanced than the basic Notepad app, WordPad gives users an effective word processing tool. However, it’s now an app which carries a real threat to your IT security. Due to a flaw in WordPad’s design, threat actors have started to abuse this vulnerability by launching a DLL hijacking attack.
Everything You Need to Know about the WordPad Hack
You may not be familiar with DLL hijacking, so we’ll start by looking at this form of attack. DLL files are library files which can be used by multiple programs all at the same time. This makes it a highly flexible and efficient file, one which can reduce disk space and maximize memory usage. When Windows launches an app, it searches through default folders for DLLs and, if they are required, automatically loads them. What’s important to note, however, is that Windows will always give priority to loading DLLs located in the same folder as the app being launched.
DLL hijacking abuses this process by inserting malicious DLLs in the app’s parent folder. Therefore, Windows will automatically load this malicious file instead of the genuine one. This allows threat actors to guarantee their malware can be launched long after they have left the system. And this is exactly what has happened with WordPad. The hackers begin their attack by using a phishing email to trick users into downloading a file, one which contains the WordPad executable and a malicious DLL with the name of edputil.dll. Launching the WordPad file will automatically trigger the loading of the malicious DLL file.
This infected version of edputil.dll runs in the background and uses QBot, a notorious piece of malware, to not only steal data, but also download further malware. The infected PC is then used to spread the attack throughout its entire network.
Writing QBot into History
While this form of attack is far from new, it has proved successful. Accordingly, it’s important that we hammer home the basics of good cybersecurity, with a particular emphasis on phishing attacks:
- Be careful of email links and attachments: Phishing emails often contain harmful links or attachments. Be careful when clicking on links or downloading attachments, especially if they seem suspicious. Hover over the link to check the URL before clicking and only download attachments from trusted sources. If you’re unsure, always verify the email with an IT professional before clicking anything.
- Verify the email sender: phishing emails often impersonate genuine organizations or individuals. Therefore, make sure you check the sender’s email address for any inconsistencies or spelling mistakes. And, if you’re still in doubt, contact the sender by phone or in person to confirm they have sent the email.
- Always update: software manufacturers routinely issue updates to patch security vulnerabilities and improve performance. It’s crucial that these updates are installed as soon as possible to avoid threat actors exploiting these flaws. The simplest way to do this is by authorizing automatic updates.
For more ways to secure and optimize your business technology, contact your local IT professionals.