Skip links

Want to sneak a RAT into Windows? Buy Quantum Builder on the dark web

A tool sold on the dark web that allows cybercriminals to build malicious shortcuts for delivering malware is being used in a campaign pushing a longtime .NET keylogger and remote access trojan (RAT) named Agent Tesla.

The customizable tool, Quantum Builder (also known as Quantum LNK Builder), was seen for sale on cybercriminal markets in June by security researchers with Cyware. Quantum Builder lets attackers to create malicious Microsoft Windows LNK shortcuts.

Through the shortcuts, cybercriminals can create and deliver malicious payloads using legitimate system tools like PowerShell and Microsoft HTML Application (HTA) files.

In a report this week, researchers detected a campaign using Quantum Builder to deliver Agent Tesla, malware that has been around since 2014 and has been used to steal sensitive information from a victim’s device, including user credentials, credentials from browsers, keystrokes, and clipboard data.

Quantum Builder has been linked to the advanced persistent threat (APT) gang Lazarus Group, based on shared tactics, techniques, and procedures (TTPs) and overlaps in source code, but they can’t with any confidence attribute the current campaign to Lazarus or any particular threat group.

Malware as a service is cheaper than you think

Quantum Builder, which Cyware says could be had for about $200 for two months of access to up to $950 for lifetime access, can generate LNK, HTA, and ISO payloads that include sophisticated download techniques and deliver the final payload via a multi-staged attack chain.

That includes decrypting In-memory PowerShell scripts using the HTA file to bypass User Account Control (UAC) through Microsoft Connection Manager Profile Installer (CMSTP) – a program used to install Connection Manager service profiles – to launch Agent Tesla with administrative rights.

UAC Bypass also is used to run Windows Defenders exclusions on the system.

Quantum Builder has other techniques to evade detection and camouflage tactics, including using living-off-the-land binaries (LOLBins), which are legitimate Microsoft tools. It also “incorporates techniques like decoys, UAC Prompts and in-memory PowerShell to execute the final payload,” the researchers found, adding that “these Techniques are regularly updated by the Developers of the Quantum Builder.”

The infection chain starts with a spearphishing email whose subject line is an order confirmation from GuangDong Nanz Technology, a Chinese manufacturing company. The email includes the LNK file bundled as a GZIP archive that, once executed by the victim, activates the embedded PowerShell codes that launches MSHTA, which then executives the HTA file that is hosted on a remote server.

“The HTA File then decrypts a PowerShell loader script which decrypts and loads another PowerShell script after performing AES Decryption and GZIP Decompression,” they wrote. “The decrypted PowerShell script is the Downloader PS Script, which first downloads the Agent Tesla binary from a remote server, and then executes it with administrative privileges by performing a UAC Bypass using the CMSTP.” 

Agent Tesla is then executed on the victim’s machine with administrative privileges.

ThreatLabz analysts found multiple samples that use a various of the infection chain to deliver Agent Tesla, with the LNK file bundled in a ZIP archive. In this situation, the LNK file also executes the HTA file hosted on the remote server by decoding a command through converting the integers in the command into characters and replacing whitespaces. It also uses MSHTA to execute the HTA file from a remote URL.

In their report in June, the Cyware team said there were advantages to attackers using LNK extensions. Windows by default hides the LNK extension, so if a file has a .lnk extension, only the file name and .txt extension will appear to the user. Because of this, there is a high probability of users being fooled into clicking on this type of file, they wrote.

In addition, “when the LNK files are run, they can execute PowerShell code that can be leveraged to perform further actions,” the Cyware researchers wrote. “In this specific case, it runs an HTML application file hosted on Quantum’s website using a legitimate Windows utility that’s used to run HTA files, MSHTA.”

Quantum Builder has been used by threat groups in a number of campaigns to deliver a range of malware families, including RedLine Stealer (which like Agent Tesla steals credentials as well as credit card information and other data), IcedID (banking trojan), GuLoader (advanced downloader), and Remcos RAT and AsyncRAT.

“Threat actors are continuously evolving their tactics and making use of malware builders sold on the cybercrime marketplace,” they wrote. “This Agent Tesla campaign is the latest in a string of attacks in which Quantum Builder has been used to create malicious payloads in campaigns against various organizations.”

The campaign “incorporates sophisticated techniques to evade detections, and the techniques are updated regularly by the developers,” they added. ®