Agent Tesla’s remote access trojan is distributed using Quantum Builder, a newly identified malware creator (RAT).
When compared to earlier attacks of this type, this campaign has improvements and a shift toward LNK (Windows shortcut) files. According to a report published on Tuesday by Niraj Shivtarkar and Avinash Kumar of Zscaler ThreatLabz.
Quantum Builder, is a configurable tool for creating malicious shortcut files as well as HTA, ISO, and PowerShell payloads to deliver next-stage malware on the targeted devices. In this case, Agent Tesla malware is offered for sale on the dark web for €189 per month.
A spear-phishing email with a GZIP archive attachment and a shortcut to run PowerShell code that launches a remote HTML application (HTA) using MSHTA is the first step in the multi-stage attack chain.
The LNK file poses as a PDF document in the phishing emails, which claim to be an order confirmation letter from a Chinese supplier of lump and rock sugar.
Another PowerShell loader script that functions as a downloader for locating and running the Agent Tesla malware. For running needs administrative privileges are decrypted and executed by the HTA file in turn.
The GZIP archive is swapped out for a ZIP file in the second round of the infection sequence. Also uses further obfuscation techniques to mask the harmful behavior.
The researchers stated that “threat actors are continuously upgrading their strategies and use malware builders supplied on the cybercrime market.”
The most recent of several attacks in which Quantum Builder was used to constructing harmful payloads in campaigns against various companies was the Agent Tesla campaign.