A recently discovered malware builder sold on the dark web, Quantum Builder, is being used in a new campaign featuring fresh tactics to deliver the Agent Tesla .NET-based keylogger and remote access trojan (RAT), according to an alert issued by the ThreatLabz research unit of cyber security vendor Zscaler.
Quantum Builder, also known as Quantum LNK Builder, is used to create malicious shortcut files. It has been linked to Lazarus — an APT (advanced persistent threat) actor linked to North Korea — due to shared tactics, techniques, procedures (TTPs) and source code overlap. “But we cannot confidently attribute this campaign to any specific threat actor,” Zscaler noted in a blog post.
Agent Tesla was first detected in 2014. In the current campaign, Quantum Builder is being used to generate malicious .lnk, .hta, and PowerShell payloads, which then deliver Agent Tesla to the targeted machines, according to Zscaler.
“This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past,” Zscaler noted.
Quantum Builder used in a string of new malware attacks
Threat actors are continuously evolving their tactics and making use of malware builders sold on the cybercrime marketplace. “This Agent Tesla campaign is the latest in a string of attacks in which Quantum Builder has been used to create malicious payloads in campaigns against various organisations,” Zscaler noted.
The payloads generated by the builder employ sophisticated techniques such as user account control bypass using the Microsoft Connection Manager Profile Installer (CMSTP) binary to execute the final payload with administrative privileges, and to perform Windows defender exclusions.
The new malware campaign has also been seen utilising a multi-staged infection chain integrating various attack vectors, Zscaler said. It executes PowerShell scripts in-memory to evade detection and is also seen executing decoys to distract victims after devices have been infected.
New attacks start with spear phishing email
The attack chain starts with a spear-phishing mail that that contains a GZIP attachment. The GZIP includes a shortcut that is designed to execute PowerShell code that is responsible for launching a remote HTML application using mshta.exe binaries.
The phishing email looks like it is from a Chinese supplier of lump and rock sugar—it has a subject line stating "New Order Confirmation - Guangdong Nanz Technology co. ltd."—and has a malicious .lnk file with a PDF icon.
Once the document is opened, the HTA file decrypts a PowerShell loader script which decrypts and loads another PowerShell script after performing advanced encryption standard decryption and GZIP decompression.
The decrypted PowerShell script is the Downloader PS Script, which first downloads the Agent Tesla binary from a remote server, and then executes it with administrative privileges by performing a user account control bypass (UAC) using the CMSTP. Agent Tesla is then executed on the target machine with administrative privileges.
There was also a second variant of Agent Tesla observed, where the threat actors used a ZIP file and other sophisticated methods to hide their activities. Agent Tesla has been active since 2014, in 2018 it had more than 6,300 customers who pay subscription fees to license the software. Currently, Agent Tesla is being sold for $182 a month on the dark web, according to Hacker News.
Quantum builder was first discovered by Cyble Research Labs in June this year on a cybercrime forum. The threat actor claimed in the post that Quantum Builder can spoof any extension and has over 300 different icons available for malicious .lnk files. There was also a video posted demonstrating how to build .lnk, .hta, and .iso files using the malware builder.
The .hta payload can be created using Quantum Builder by customising options such as payload url, DLL (dynamic link library), UAC Bypass, and execution path detaails as well as a time delay to execute the payload.