A new malicious tool that allows cybercriminals to create malicious Windows Shortcuts (.LNK) files has been put up for sale on cybercrime forums.
Double Quantum Link Builderthe software allows you to spoof any extension and choose from over 300 icons, not to mention UAC support and bypass Windows Smart Screen as well as “multiple payloads per .LNK” file. .HTA payload and disk image (.ISO) generation capabilities are also offered.
Quantum Builder is available for lease at various prices: €189 per month, €355 for two months, €899 for six months, or as a one-time lifetime purchase for €1,500.
“.LNK files are shortcut files that reference other files, folders, or applications to open them,” Cyble researchers said. said in a report. “The [threat actor] exploits .LNK files and removes malicious payloads using LOLBins [living-off-the-land binaries].”
The earliest evidence of malware samples using Quantum Builder in the wild is believed to date back to May 24, masquerading as harmless text files (“test.txt.lnk”).
“By default, Windows hides the .LNK extension, so if a file is named file_name.txt.lnk, then only file_name.txt will be visible to the user even if the option to show the file extension is activated,” the researchers said. “For these reasons, it could be an attractive option for teaching assistants, using .LNK files as a disguise or smokescreen.”
Launching the .LNK file executes PowerShell code, which in turn executes an HTML application file (“bdg.hta”) hosted on the Quantum website (“quantum-software[.]online”) using MSHTA, a legitimate Windows utility used to execute HTA files.
Quantum Builder reportedly shares ties with North Korea-based Lazarus Group due to source code overlaps in the tool and the tool’s modus operandi of leveraging .LNK files to deliver build payloads. additional step, indicating its potential use by APT actors in their attacks.
The development comes as the operators behind Bumblebee and Emotet turn to .LNK files as a conduit to trigger chains of infection following Microsoft’s decision to disable Visual Basic for Applications (VBA) macros by default on its products more early this year.
Bumblebee, a BazarLoader malware replacement first spotted in March, functions as a backdoor designed to give attackers persistent access to compromised systems and a downloader for other malware, including Cobalt Strike and Sliver.
The malware’s capabilities have also made it a tool of choice for threat actors, with 413 incidents of Bumblebee infections reported in May 2022, compared to 41 in April, according to Cyble.
“Bumblebee is a new, highly sophisticated malware loader that employs numerous evasive maneuvers and anti-analysis tricks, including complex anti-virtualization techniques,” the researchers said. said. “It is likely to become a popular tool for ransomware groups to deliver their payload.”