Quant Loader Trojan Hiding in Email File Extensions

  /     /     /  
Publicated : 22/11/2024   Category : security


Quant Loader Trojan Hiding in Email File Extensions


Barracuda Networks has released a new report that finds email file extensions are hiding a variation of the Quant Loader Trojan, which is being used to spread ransomware and password stealers.



The Quant Loader Trojan has been making a comeback in the past two months, hiding in email file extensions and spreading either ransomware or password stealers throughout corporate networks, according to a new report.
Between March and April, researchers with Barracuda Networks have noticed an uptick in email file extensions that are carrying the Quant Loader Trojan,
according to a study
released Tuesday, April 10. As in many other cases, the people behind this attack are using phishing and other social engineering techniques to trick unsuspecting employees into opening a malicious link.
In this latest case, the attackers are using malicious file extensions disguised as billing documents. In some cases, the extension hiding the Trojan is compressed into a zip file, according to Barracuda.
A recent view of the Quant Loader Trojan injecting a system.

(Source:
Barracuda Networks
)
The Quant Loader Trojan has been around since at least 2016, although security researchers began to
see a significant uptick
in the latter part of 2017. In all these cases, the Trojan is used to distribute malware, typically ransomware and password stealers.
The Trojan itself is usually sold within different underground forums -- some linked to Russia -- and it allows the user to configure the payload upon infection through a management panel. This type of configurable malware is becoming more widespread and allows the development of the Trojan to be separated from those who are distributing it.
In the latest outbreak that started in March, researchers found that zipped Microsoft Internet shortcut files with a .url file extension began appearing in different emails under the guise of a billing document. The attackers used a variation of the
CVE-2016-3353 proof-of-concept
, which allows the malware to bypass security warnings. It also contains links to JavaScript or Windows Script files.
In this case, the URLs are prefixed with file:// rather than the standard http://, which then fetches the links over
Samba
instead of through a browser. The result, as Barracuda found, allows the Trojan to download:

This has the benefit of executing the contained code using WScript under the current users profile rather than requiring browser exploitation, although it does prompt the user before doing so. The remote script files are heavily obfuscated, but all result in downloading and running Quant Loader when allowed to execute.

Since the malicious scripts are heavily obfuscated, the attacks can prevent or slow security analysis.
The fundamentals of network security are being redefined -- dont get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual
Big Communications Event
. Theres still time to register and communications service providers get in free!
While the Quant Loader Trojan is not new, the way attackers are using it is unique, Fleming Shi, the senior vice president of Technology at Barracuda, wrote in an email to Security Now.
The approach the hackers are taking with it is somewhat of a newer tactic, Shi wrote. Sending out a message with a benign link or attachment allows the possibility for them to change the link or attachment to something malicious at a later date.
This current Quant Loader Trojan attack is actually composed of several smaller campaigns that typically last for a day or less. Here, the attackers are utilizing an email content file name pattern and a single domain serving malicious script files over Samba. In some cases, the emails have no text at all and only a subject line.
So far, Shi writes that Barracuda has seen this version of Quant Loader at work in the US, as well as the UK, but it could also be spreading elsewhere. The motives of those behind it are also not known, however. Its hard to know what the motivating factors are with the criminals or who exactly is behind it, but this Trojan is capable of stealing passwords and launching ransomware. Both of these tactics are used for monetary gain, so that is likely the end goal, Shi added.
In its report, Barracuda is warning that enterprises and their security teams should alert employees and stress to them the importance of not opening emails with unfamiliar attachments, as well as to be aware of social engineering schemes as part of a phishing attack.
A report conducted by Malwarebytes and released this week found that ransomware attacks declined during the first quarter of this year as cybercriminals targeted more lucrative cryptomining schemes. However, it did warn that certain types of Trojans were making a comeback. (See
Malwarebytes: Cryptomining Surges as Ransomware Declines
.)
Related posts:
Fancy Bear Linked to DealersChoice Attacks in Europe
Coldroot RAT Sends Mac Antivirus Down a Maze
Ransomware Shows Theres no Honor Among Cyberthieves
This Aggressive Panda Steals Your Credentials
— Scott Ferguson, is the managing editor of Light Reading and the editor of
Security Now
. Follow him on Twitter
@sferguson_LR
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Quant Loader Trojan Hiding in Email File Extensions