Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

4/10/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Quant Loader Trojan Hiding in Email File Extensions

Barracuda Networks has released a new report that finds email file extensions are hiding a variation of the Quant Loader Trojan, which is being used to spread ransomware and password stealers.

The Quant Loader Trojan has been making a comeback in the past two months, hiding in email file extensions and spreading either ransomware or password stealers throughout corporate networks, according to a new report.

Between March and April, researchers with Barracuda Networks have noticed an uptick in email file extensions that are carrying the Quant Loader Trojan, according to a study released Tuesday, April 10. As in many other cases, the people behind this attack are using phishing and other social engineering techniques to trick unsuspecting employees into opening a malicious link.

In this latest case, the attackers are using malicious file extensions disguised as billing documents. In some cases, the extension hiding the Trojan is compressed into a zip file, according to Barracuda.

The Quant Loader Trojan has been around since at least 2016, although security researchers began to see a significant uptick in the latter part of 2017. In all these cases, the Trojan is used to distribute malware, typically ransomware and password stealers.

The Trojan itself is usually sold within different underground forums -- some linked to Russia -- and it allows the user to configure the payload upon infection through a management panel. This type of configurable malware is becoming more widespread and allows the development of the Trojan to be separated from those who are distributing it.

In the latest outbreak that started in March, researchers found that zipped Microsoft Internet shortcut files with a ".url" file extension began appearing in different emails under the guise of a billing document. The attackers used a variation of the CVE-2016-3353 proof-of-concept, which allows the malware to bypass security warnings. It also contains links to JavaScript or Windows Script files.

In this case, the URLs are prefixed with "file://" rather than the standard "http://", which then fetches the links over Samba instead of through a browser. The result, as Barracuda found, allows the Trojan to download:

This has the benefit of executing the contained code using WScript under the current user's profile rather than requiring browser exploitation, although it does prompt the user before doing so. The remote script files are heavily obfuscated, but all result in downloading and running Quant Loader when allowed to execute.

Since the malicious scripts are heavily obfuscated, the attacks can prevent or slow security analysis.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

While the Quant Loader Trojan is not new, the way attackers are using it is unique, Fleming Shi, the senior vice president of Technology at Barracuda, wrote in an email to Security Now.

"The approach the hackers are taking with it is somewhat of a newer tactic," Shi wrote. "Sending out a message with a benign link or attachment allows the possibility for them to change the link or attachment to something malicious at a later date."

This current Quant Loader Trojan attack is actually composed of several smaller campaigns that typically last for a day or less. Here, the attackers are utilizing an email content file name pattern and a single domain serving malicious script files over Samba. In some cases, the emails have no text at all and only a subject line.

So far, Shi writes that Barracuda has seen this version of Quant Loader at work in the US, as well as the UK, but it could also be spreading elsewhere. The motives of those behind it are also not known, however. "It's hard to know what the motivating factors are with the criminals or who exactly is behind it, but this Trojan is capable of stealing passwords and launching ransomware. Both of these tactics are used for monetary gain, so that is likely the end goal," Shi added.

In its report, Barracuda is warning that enterprises and their security teams should alert employees and stress to them the importance of not opening emails with unfamiliar attachments, as well as to be aware of social engineering schemes as part of a phishing attack.

A report conducted by Malwarebytes and released this week found that ransomware attacks declined during the first quarter of this year as cybercriminals targeted more lucrative cryptomining schemes. However, it did warn that certain types of Trojans were making a comeback. (See Malwarebytes: Cryptomining Surges as Ransomware Declines.)

Related posts:

— Scott Ferguson, is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4560
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4589
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
CVE-2020-4328
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
CVE-2020-4377
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
CVE-2020-4534
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...