Phishing Attacks Are Now Using the Windows Calculator

LR Guanzon/Wikimedia, Google

Windows has become better and better at stopping viruses and malware, even if you don’t have the best antivirus software installed. Malware developers have to get creative to infect systems, which now includes utilizing the Windows 7 Calculator application.

security researcher ‘ProxyLife’ discovered some malware and phishing attacks are now using the Calculator application from Windows 7 to break into modern Windows PCs, as reported by Bleeping Computer. The attack starts by tricking someone into downloading an ISO disc image disguised as a PDF or other file, which contains a shortcut that opens an included copy of the Calculator application.

So, why use an outdated version of Calculator to break into systems? Well, the Windows 7 Calculator will use Dynamic Link Libraries (DLLs) in the same folder if they are present, instead of always using the libraries in the Windows system folder. Opening the Calculator doesn’t set off any alarm bells in Windows, likely because since it’s signed by Microsoft, but it can still load an infected “WindowsCodecs.dll” library bundled with Calculator. Newer versions of the Calculator app included in Windows aren’t vulnerable to switching DLLs, which is why an older version is included in the package.

image of ISO file
The files used in the phishing attack, including “calc.exe” from Windows 7 and two DLL files ProxyLife

It’s not clear yet if Microsoft has updated Defender to properly recognize this type of attack, but if you don’t download files from strange websites (or email attachments from people you don’t know), you probably don’t have to worry about it.

Via: Bleeping Computer

Leave a Comment

Your email address will not be published.