Quant Loader Trojan Hiding in Email File Extensions

The Quant Loader Trojan has been making a comeback in the past two months, hiding in email file extensions and spreading either ransomware or password stealers throughout corporate networks, according to a new report.

Between March and April, researchers with Barracuda Networks have noticed an uptick in email file extensions that are carrying the Quant Loader Trojan, according to a study released Tuesday, April 10. As in many other cases, the people behind this attack are using phishing and other social engineering techniques to trick unsuspecting employees into opening a malicious link.

In this latest case, the attackers are using malicious file extensions disguised as billing documents. In some cases, the extension hiding the Trojan is compressed into a zip file, according to Barracuda.

A recent view of the Quant Loader Trojan injecting a system.
\r\n(Source: Barracuda Networks)\r\n

The Quant Loader Trojan has been around since at least 2016, although security researchers began to see a significant uptick in the latter part of 2017. In all these cases, the Trojan is used to distribute malware, typically ransomware and password stealers.

The Trojan itself is usually sold within different underground forums -- some linked to Russia -- and it allows the user to configure the payload upon infection through a management panel. This type of configurable malware is becoming more widespread and allows the development of the Trojan to be separated from those who are distributing it.

In the latest outbreak that started in March, researchers found that zipped Microsoft Internet shortcut files with a ".url" file extension began appearing in different emails under the guise of a billing document. The attackers used a variation of the CVE-2016-3353 proof-of-concept, which allows the malware to bypass security warnings. It also contains links to JavaScript or Windows Script files.

In this case, the URLs are prefixed with "file://" rather than the standard "http://", which then fetches the links over Samba instead of through a browser. The result, as Barracuda found, allows the Trojan to download:

"This has the benefit of executing the contained code using WScript under the current user's profile rather than requiring browser exploitation, although it does prompt the user before doing so. The remote script files are heavily obfuscated, but all result in downloading and running Quant Loader when allowed to execute."

Since the malicious scripts are heavily obfuscated, the attacks can prevent or slow security analysis.

The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

While the Quant Loader Trojan is not new, the way attackers are using it is unique, Fleming Shi, the senior vice president of Technology at Barracuda, wrote in an email to Security Now.

"The approach the hackers are taking with it is somewhat of a newer tactic," Shi wrote. "Sending out a message with a benign link or attachment allows the possibility for them to change the link or attachment to something malicious at a later date."

This current Quant Loader Trojan attack is actually composed of several smaller campaigns that typically last for a day or less. Here, the attackers are utilizing an email content file name pattern and a single domain serving malicious script files over Samba. In some cases, the emails have no text at all and only a subject line.

So far, Shi writes that Barracuda has seen this version of Quant Loader at work in the US, as well as the UK, but it could also be spreading elsewhere. The motives of those behind it are also not known, however. "It's hard to know what the motivating factors are with the criminals or who exactly is behind it, but this Trojan is capable of stealing passwords and launching ransomware. Both of these tactics are used for monetary gain, so that is likely the end goal," Shi added.

In its report, Barracuda is warning that enterprises and their security teams should alert employees and stress to them the importance of not opening emails with unfamiliar attachments, as well as to be aware of social engineering schemes as part of a phishing attack.

A report conducted by Malwarebytes and released this week found that ransomware attacks declined during the first quarter of this year as cybercriminals targeted more lucrative cryptomining schemes. However, it did warn that certain types of Trojans were making a comeback. (See Malwarebytes: Cryptomining Surges as Ransomware Declines.)

Related posts:

— Scott Ferguson, is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.