Agent Tesla Campaign with LNK Files Built from Quantum Builder

Category: Malware Campaign | Industry: N/A | Level: Tactical | Source: Zscaler

Zscaler ThreatLabz researchers have identified a campaign to spread information stealing malware, Agent Tesla. The threat actors have utilized Quantum Builder a malware sold on the dark web, that helps the user craft malicious payloads. "In this campaign, threat actor use Quantum Builder to generate malicious LNK, HTA, and PowerShell payloads which then deliver Agent Tesla on the targeted machines." The attack chain begins with the delivery of a spearphishing email carrying a ZIP file and an LNK within the archive. Upon the execution of the LNK file a PowerShell code is used to call MSHTA out to a remote server and execute an HTA file which will download and decrypt a PowerShell loader script. Agent Tesla will be delivered onto the victim's host upon the completion of the PowerShell script execution which will also use LOLBins, CMSTP to bypass user access control (UAC). Window's file transfer protocol (FTP) is used by threat actors to facilitate command and control (C2) communication.

Anvilogic Scenario:

• Zip/LNK Leads to LOLBin & Script/UAC Bypass/Data Exfil

Anvilogic Use Cases:

• Symbolic OR Hard File Link Created
• MSHTA.exe execution
• Windows FTP Exfiltration

‍