Recently, Zscaler ThreatLabz discovered a new malicious campaign in which the Agent Tesla RAT is delivered by a malware builder called Quantum Builder. Tesla is an active keylogging and RAT program that is based on .NET, and since 2014, it has been in operation.
Comparatively to the previous versions of this campaign, this one is much more sophisticated and features a shift towards LNK (Windows shortcut) files.
Quantum Builder
There is a malicious shortcut file that is created using Quantum Builder, and this builder is also known as “Quantum Link Builder.”
Due to shared TTPs and source code overlaps, this campaign has been linked with the Lazarus Group APT. However, security analysts were unable to ascribe this to any specific threat actor with confidence.
In this campaign, the threat actors use Quantum Builder to generate malicious payloads like:-
- LNK
- HTA
- PowerShell
Once all these payloads have been assembled, the threat actors can use them to deliver the Agent Tesla malware. There are a number of sophisticated techniques that are used by the builder, including:-
- With the help of the Microsoft Connection Manager Profile Installer (CMSTP) binary, it is possible to bypass User Account Control.
- Ensure that Windows Defender Exclusions are configured.
- By integrating several different attack vectors using LOLBins, a multi-stage infection chain has been created and is being used.
- In order to evade detection, PowerShell scripts are executed in memory.
- In order to distract the victims after acquiring the infection, decoys are used as distraction tactics.
Quantum Builder is available on the dark web for a monthly subscription fee of €189, and here below you can see the full price list:-
Malicious shortcut files can be created with Quantum Builder, since it’s a customizable tool, and not only that, it also generates malicious payloads as well:-
- HTA
- ISO
- PowerShell
Payloads such as these are used for delivering next-stage malware (Agent Tesla) to the machines that have been targeted in the attack.
Infection Chain
The infection chain is a multi-stage attack chain consisting of multiple stages that are launched with the initiation of phishing emails that contain a GZIP archive file in the attachment of the mail.
A shortcut is included in this attachment, and this shortcut is used for executing PowerShell code that uses the MSHTA to launch a remote HTA.
According to the report, A Chinese supplier of Lump and Rock Sugar (Guangdong Nanz Technology co. ltd) is purportedly sending phishing emails with the arrangement of an order confirmation message. Here the message contains a malicious LNK file that masquerades itself as a legit PDF doc.
A PowerShell loader script, in turn, is decrypted and executed by the HTA file. Now to execute the Agent Tesla malware with administrative privileges, this script acts as both downloader and executor.
Alternatively, a ZIP file is substituted for the GZIP archive in a second variant of the infection sequence.
It has been observed in recent months that the use of the Quantum Builder has increased rapidly. Since a variety of malware is being distributed using it by the threat actors.
In a recent campaign against various organizations, the Quantum Builder is utilized to create malware payloads in order to launch cyber-attacks against them, and the latest among them is this Agent Tesla campaign.
Cyber Attack with Zero Trust Networking – Download Free E-Book
