URL file attacks spread Quant Loader trojan
A recent spate of attacks using phishing, social engineering, exploits, and obfuscation are being used to spread a Quant Loader trojan capable of distributing ransomware and password stealers.
Researchers at Barracuda last month began spotting malicious zipped Microsoft internet shortcut files with a “.url” file extension claiming to be billing documents but actually lead to remote script files.
The files actually use a variation on the CVE-2016-3353 proof-of-concept which, contain links to JavaScript files and in some cases Windows Script Files, are heavily obfuscated, and all result in downloading and running Quant Loader when allowed to execute, according to an April 10 blog post
Researchers spotted the attack in a series of mini-campaigns, each of which lasted less than a day and used a single domain serving malicious script files over Samba and a single variant of Quant being distributed from a handful of domains. The attacks also utilized an email content and file name pattern with some emails having no text content and only a subject line, researchers said.
Rod Soto, director of security research at JASK, told SC Media the attack matches current observations of other malicious campaigns where scripting languages are being used to execute exploitation and infection payloads and bypass standard browser protections.
“Scripting languages are perceived as less dangerous than actual files, as they are usually trusted by the operating system and operate under current user rights, so it takes deeper inspection into the actual code in order to assess its maliciousness,” said Soto. “These types of attacks are growing in popularity and are also called fileless malware.”
Source | scmagazineuk
