IS-specialists Discovered a New Interesting Malware Quantum Lnk Builder

Cyble has published a report on a new malware tool, Quantum Lnk Builder, which has recently been sold on the black market, has a graphical interface that allows creating malicious Windows shortcut (.LNK) files, fake extensions from more than 300 icons, and bypass UAC and Windows SmartScreen.

Quantum Lnk Builder

In addition, the builder allows putting “multiple payloads in a .LNK file”, and also has the ability to create a payload in .HTA and .ISO formats.

Let me remind you that we also talked about the fact that RedLine Stealer Malware Masks as Bots to Buy Binance NFT Mystery Boxes, and also that Raspberry Robin Malware Has Worm Features and Abuses Windows Installer.

The LNK format is Windows shortcut files that can contain malicious code and abuse legitimate system tools, LOLbins (living off the land binaries), including PowerShell or MSHTA. Because of this, LNK files are often used to spread malware, especially in phishing campaigns. For example, some well-known malware families use them, including Emotet, Qbot and IcedID.

By default, Windows hides the .LNK extension, so if a file is named “filename.txt.lnk”, then only “filename.txt” will be visible to the user, even if the option to display file extensions is enabled.the researchers write.

Quantum Builder can be rented for €189 per month, €355 for two months, €899 for six months, or a lifetime “license” for €1,500.

As mentioned above, in addition to creating .LNK files, Quantum offers UAC and Windows Smartscreen bypass, the ability to load multiple payloads into a single LNK file, hiding after execution, and running or deferred execution of malicious code.

The authors of the builder claim that the files generated with its help are 100% undetectable, that is, antivirus products and OS protection mechanisms will not mark them as suspicious or dangerous.

According to Cyble researchers, the first malicious files created with Quantum Builder were discovered on May 24 of this year, and analysis of these malicious LNKs showed that such well-known APTs as Lazarus can use Quantum for their attacks.

The specific file studied by experts was called Password.txt.lnk, and looked like a text file with a password for a secure PDF document, which allegedly provided an analysis of a certain stablecoin.

Quantum Lnk Builder

When the file was opened, a PowerShell script was executed, very similar to the scripts that the Lazarus hack group used in their recent campaigns.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.