top of page
  • Writer's pictureMichael Paulyn

Harnessing the Power of Quantum Builder from the Dark Web, Cybercriminals Deliver Agent Tesla

Experts have uncovered a malware builder, Quantum Builder, which cybercriminals use to deliver Agent Tesla remote access trojan (RAT). Researchers from Zscaler ThreatLabz share that "this campaign features enhancements and a shift toward LNK (Windows shortcut) files compared to similar attacks in the past."

The Quantum Builder is sold on the dark web and goes for the low price of €189 per month. This unique tool is completely customizable and capable of creating malicious shortcut files along with HTA, ISO, and PowerShell payloads which can efficiently deliver what's known as "next-stage" malware, specifically Agent Tesla.

This process works because cybercriminals use multi-stage attack chains, which work with a spear-phishing email containing a GZIP archive attachment. This attachment includes a shortcut that uses a design that releases a PowerShell code that works to spread a remote HTML application (HTA) using MSHTA.

These phishing emails appear as an order confirmation message from a particular Chinese supplier for a raw good like sugar; an LNK file appears to the user as a PDF document. The HTA file is responsible for decrypting and executing a separate PowerShell loader script, which is the downloader for retrieving the Agent Tesla malware and "executing it with administrative privileges."

Hungry for more? Join me each week, where I'll break down complex topics and dissect the latest news within the cybersecurity industry and blockchain ecosystem, simplifying the tech world.

5 views0 comments


bottom of page