Quant Loader Trojan Spreads Via Microsoft URL Shortcut Files

Researchers are warning of a new email phishing campaign that launches a trojan capable of distributing ransomware and stealing passwords.

Researchers are warning of a new email phishing campaign that downloads and launches the Quant Loader trojan, capable of distributing ransomware and stealing passwords.

Barracuda on Tuesday said it has been tracking emails containing zipped Microsoft internet shortcut files with a “.url” file extension  sent to millions of inboxes via a phishing campaign over the past month. If files are executed a script is downloaded and then drops the Quant Loader malware onto the targeted system.

“This is a more sophisticated approach than usual… it might be a way to prepare for a later attack,” said Fleming Shi, SVP of Advanced Technology Engineering at Barracuda in an interview with Threatpost.

Shi said victims are tricked into clicking unfamiliar file extensions in emails, which look like billing documents. Emails have a file name pattern, with some having no text content and simply a subject line.

“These shortcut files use a variation on the CVE-2016-3353 proof-of-concept, containing links to JavaScript files (and more recently Windows Script Files). However, in this instance the URL was prefixed with ‘file://’ rather than ‘http://’ which fetches them (scripts) over Samba rather than through a web browser,” wrote researchers in a technical blog outlining the research.

Samba is a popular standard for providing Windows-based file and print services.

The vulnerability CVE-2016-3353 is tied to Microsoft Internet Explorer (9 through 11) rated by the National Vulnerability Database as high severity. The vulnerability “mishandles .url files from the Internet zone, which allows remote attackers to bypass intended access restrictions via a crafted file, aka ‘Internet Explorer Security Feature Bypass,'” according to the CVE description.

Script files (JavaScript and Windows Script Files) download and then act as droppers to download the Quant Loader trojan. “The remote script files are heavily obfuscated, but all result in downloading and running Quant Loader when allowed to execute,” researchers said.

The Quant Loader trojan is sold on various underground forums and allows buyers to configure their payload(s) upon infection via a management panel.

Quant Loader became available to purchase on various underground forums in 2016, according to Forcepoint. The downloader has been used to distribute the Locky Zepto crypto-ransomware and Pony malware family. It has capabilities including privilege escalation, an administrative control panel and support for downloading both EXEs and DLLs.

The threat has played out in a series of mini attacks over the past month, with Barracuda noticing the first attack sent in millions of emails on March 5 and 6. The attack then tapered off, before coming back on March 13 and March 26, said Shi.

Because the main techniques used in the attack are phishing and social engineering, Barracuda stressed that users should avoid file types in emails that they are unfamiliar with. “User training is the only way to get around this,” Shi said.

Suggested articles