A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT), Zscaler ThreatLabz researchers warn.
“Quantum Builder (aka “Quantum Lnk Builder”) is used to create malicious shortcut files. It has been linked to the Lazarus Group APT due to shared TTPs and source code overlaps, but we cannot confidently attribute this campaign to any specific threat actor.” reads the report published by Zscaler. “In this campaign, threat actor use Quantum Builder to generate malicious LNK, HTA, and PowerShell payloads which then deliver Agent Tesla on the targeted machines.”
The Quantum Builder (aka “Quantum Lnk Builder”) allows to create malicious shortcut files, it is sold on the dark web. The Quantum Builder also allows to generate malicious HTA, ISO, and PowerShell payloads that are used to drop the next-stage malware.
In the campaign observed by the experts, threat actors used the builder to generate malicious LNK, HTA, and PowerShell payloads which is used to deliver Agent Tesla on the targeted machines.
Experts noticed that this campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to past attacks.
The attack chain observed by ZScaler starts with a spear phishing email which consists of a LNK File bundled as a GZIP Archive. The messages are masqueraded as order confirmation message from a Chinese supplier of lump and rock sugar, with the LNK file concealed as a PDF document.
Upon execution of the LNK File, the embedded PowerShell code spawns MSHTA which then executes an HTA File that is hosted on a remote server.
The HTA File then decrypts a PowerShell loader script which decrypts and loads another PowerShell script after performing AES Decryption and GZIP Decompression. The decrypted PowerShell script is the Downloader PS Script, which downloads and executes the Agent Tesla binary from a remote server. The malware is executed with administrative privileges by performing a UAC Bypass using the CMSTP.
Below are the Key Features of this attack:
In a second variant of the infection sequence, the GZIP archive is replaced by a ZIP file, while also adopting further obfuscation strategies to camouflage the malicious activity.
Quantum Builder has witnessed a surge in usage in recent months, with threat actors using it to distribute a variety of malware, such as RedLine Stealer, IcedID, GuLoader, RemcosRAT, and AsyncRAT.
“Threat actors are continuously evolving their tactics and making use of malware builders sold on the cybercrime marketplace. This Agent Tesla campaign is the latest in a string of attacks in which Quantum Builder has been used to create malicious payloads in campaigns against various organizations.” concludes the report. “It incorporates sophisticated techniques to evade detections, and the techniques are updated regularly by the developers. “
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Agent Tesla)