Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

4/10/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Quant Loader Trojan Hiding in Email File Extensions

Barracuda Networks has released a new report that finds email file extensions are hiding a variation of the Quant Loader Trojan, which is being used to spread ransomware and password stealers.

The Quant Loader Trojan has been making a comeback in the past two months, hiding in email file extensions and spreading either ransomware or password stealers throughout corporate networks, according to a new report.

Between March and April, researchers with Barracuda Networks have noticed an uptick in email file extensions that are carrying the Quant Loader Trojan, according to a study released Tuesday, April 10. As in many other cases, the people behind this attack are using phishing and other social engineering techniques to trick unsuspecting employees into opening a malicious link.

In this latest case, the attackers are using malicious file extensions disguised as billing documents. In some cases, the extension hiding the Trojan is compressed into a zip file, according to Barracuda.

The Quant Loader Trojan has been around since at least 2016, although security researchers began to see a significant uptick in the latter part of 2017. In all these cases, the Trojan is used to distribute malware, typically ransomware and password stealers.

The Trojan itself is usually sold within different underground forums -- some linked to Russia -- and it allows the user to configure the payload upon infection through a management panel. This type of configurable malware is becoming more widespread and allows the development of the Trojan to be separated from those who are distributing it.

In the latest outbreak that started in March, researchers found that zipped Microsoft Internet shortcut files with a ".url" file extension began appearing in different emails under the guise of a billing document. The attackers used a variation of the CVE-2016-3353 proof-of-concept, which allows the malware to bypass security warnings. It also contains links to JavaScript or Windows Script files.

In this case, the URLs are prefixed with "file://" rather than the standard "http://", which then fetches the links over Samba instead of through a browser. The result, as Barracuda found, allows the Trojan to download:

This has the benefit of executing the contained code using WScript under the current user's profile rather than requiring browser exploitation, although it does prompt the user before doing so. The remote script files are heavily obfuscated, but all result in downloading and running Quant Loader when allowed to execute.

Since the malicious scripts are heavily obfuscated, the attacks can prevent or slow security analysis.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

While the Quant Loader Trojan is not new, the way attackers are using it is unique, Fleming Shi, the senior vice president of Technology at Barracuda, wrote in an email to Security Now.

"The approach the hackers are taking with it is somewhat of a newer tactic," Shi wrote. "Sending out a message with a benign link or attachment allows the possibility for them to change the link or attachment to something malicious at a later date."

This current Quant Loader Trojan attack is actually composed of several smaller campaigns that typically last for a day or less. Here, the attackers are utilizing an email content file name pattern and a single domain serving malicious script files over Samba. In some cases, the emails have no text at all and only a subject line.

So far, Shi writes that Barracuda has seen this version of Quant Loader at work in the US, as well as the UK, but it could also be spreading elsewhere. The motives of those behind it are also not known, however. "It's hard to know what the motivating factors are with the criminals or who exactly is behind it, but this Trojan is capable of stealing passwords and launching ransomware. Both of these tactics are used for monetary gain, so that is likely the end goal," Shi added.

In its report, Barracuda is warning that enterprises and their security teams should alert employees and stress to them the importance of not opening emails with unfamiliar attachments, as well as to be aware of social engineering schemes as part of a phishing attack.

A report conducted by Malwarebytes and released this week found that ransomware attacks declined during the first quarter of this year as cybercriminals targeted more lucrative cryptomining schemes. However, it did warn that certain types of Trojans were making a comeback. (See Malwarebytes: Cryptomining Surges as Ransomware Declines.)

Related posts:

— Scott Ferguson, is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.