Quantum Builder: A Tool to Create Malicious Shortcut Files

Quantum LNK Builder

• It is available for a month at €189 (approx $200), for two months at €355 (approx $375), and for six months at €899 (approx $950). Users get lifetime access for €1,500 (approx $1585).
• The tool makes it possible to spoof any extension and choose from over 300 icons for malicious link files. Further, it even has support for UAC and Windows SmartScreen bypass.
• Quantum Builder supports multiple payloads per LNK file and has capabilities to create HTA and ISO payloads. 
• The earliest samples date back to May 24, which pretended to be harmless-looking text files.

Attribution

Why LNK extensions?

• By default, Windows OS hides the LNK extension. If a file has the name file_name[.]txt[.]lnk, then only file_name[.]txt will be shown to a user even though the ‘show file extension’ option is enabled. Due to this reason, there is a higher probability of users getting fooled into clicking this file type.
• When the LNK files are run, they can execute PowerShell code that can be leveraged to perform further actions. In this specific case, it runs an HTML application file hosted on Quantum's website using a legitimate Windows utility that's used to run HTA files, MSHTA.

Conclusion