New ‘Quantum’ builder allows attackers to easily create malicious Windows shortcuts


A new malware tool that allows cybercriminals to create a malicious Windows shortcut (.LNK) files has been spotted for sale on cybercrime forums.

dubbed Quantum Lnk Builderallows the software to fake any extension and choose from over 300 icons, not to mention support UAC and Windows Smart Screen bypass as well as “multiple payloads per .LNK” file. Opportunities are also offered to generate .HTA and diskimage (.ISO) payloads.

Quantum Builder is available to rent in different price ranges: €189 per month, €355 for two months, €899 for six months or as a one-time lifetime purchase for €1,500.

“.LNK files are shortcut files that point to other files, folders, or applications to open them,” Cyble researchers said in a report. “The [threat actor] takes advantage of the .LNK files and drops malicious payloads using LOLBins [living-off-the-land binaries]†

Early evidence of malware samples using Quantum Builder in the wild is said to date back to May 24, masquerading as harmless-looking text files (“test.txt.lnk”).

Windows hides the .LNK extension by default, so if a file is named filename.txt.lnk, only filename.txt will be visible to the user, even if the Show file extension option is enabled, the researchers said. “For such reasons, this can be an attractive option for TAs, who use the .LNK files as a disguise or smokescreen.”

Launching the .LNK file executes PowerShell code which in turn runs an HTML application (“bdg.hta”) file hosted on the Quantum website (“quantum software[.]online”) using MSHTAa legitimate Windows utility used to run HTA files.

Quantum Builder is said to share ties with North Korea-based Lazarus Group based on source code level overlaps in the latter’s tool and modus operandi to use .LNK files to provide further stage payloads, indicating that it is possible is used by APT actors in their attacks.

The development comes as operators behind Bumblebee and Emotet switch to .LNK files as a channel to activate the infection chains following Microsoft’s decision to disable default Visual Basic for Applications (VBA) macros for its products earlier this year. .

Bumblebee, a replacement for BazarLoader malware first spotted in March, acts as a backdoor designed to give attackers permanent access to compromised systems and as a downloader for other malware, including Cobalt Strike and Sliver.

The malware’s capabilities have also made it a tool of choice for threat actors, with 413 incidents of Bumblebee infection reported in May 2022, up from 41 in April, according to Cyble.

“Bumblebee is a new and highly advanced malware loader that uses extensive evasion and anti-analysis tricks, including complex anti-virtualization techniques,” the researchers said. said† “It is likely to become a popular tool for ransomware groups to deliver their payload.”