A new outbreak of the Quant Loader trojan is tricking vulnerable users into opening malicious attachments that bypass browser security features.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A new malware threat is delivering the Quant Loader trojan to computers via malicious email attachments. Quant is able to install ransomware and password-stealing software.
- Quant Loader is sold as a service, making it part of a disturbing trend of malware that's readily accessible and usable by the average criminal, greatly expanding its reach.
A newly discovered email attack is delivering malicious attachments that contain a trojan known as the Quant Loader, which can install ransomware and password-stealing software.
Discovered by Barracuda Networks, the new attack is leveraging a two-year old vulnerability in Internet Explorer that allows an attacker to bypass browser security features. The attackers have taken a different approach with this latest attack, though, relying on Samba to download a file instead of a web browser, thereby completely bypassing security features of any web browser.
The use of an old, previously patched exploit in an attack is hardly a new tactic, which should remind everyone to take patching and updates seriously.
How this attack works
Emailing malicious attachments is a common form of attack, and this Quant Loader campaign is no different.
Barracuda reports that emails claiming to be billing statements and blank emails with just an attachment have been detected, both of which contain .zip files.
SEE: Incident response policy (Tech Pro Research)
The .zip contains a Windows Script File (.wsf) which, upon execution, pulls down Quant Loader installer, but with a twist: It doesn't look for it at an http:// address—it uses file:// to download the executable using Samba, according to the report.
Barracuda researchers said that the script files are heavily obfuscated, but all end up with the same result: The download and execution of the Quant Loader installer.
Quant Loader: A symptom of a larger problem
Past Quant Loader attacks have revealed it to be a distributor for ransomware and password-stealing software, but that's not the biggest news about it: It's for sale online for anyone to use.
Quant Loader itself is a malware-as-a-service product that can be purchased on various underground markets and configured however the end user sees fit.
Malware-as-a-service, as our sister site ZDNet reports, is a growing market that makes cybercrime accessible to criminals who aren't coders—and that's a dangerous thing for everyone. Software available on the black market gives the average criminal access to malware that is kept up-to-date by the programmer, complete with fresh exploits to keep the product effective as holes are patched.
This particular Quant Loader attack may be exploiting old vulnerabilities and finding victims in predictable ways, but the easy availability of the software means attacks could become more widespread as time goes on.
Avoiding this Quant Loader attack involves the same tactics used for previous email attachment attacks: Keep systems and antivirus software updated, don't open attachments from unknown sources, and train users to recognize threats.
Ready-to-use ransomware is straightforward and generally relies on email campaigns for distribution. It is a growing threat, but user awareness and good security hygiene can grow right along with it.
- Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)
- Cyber-crooks find a new way to share malware and scams (ZDNet)
- Ransomware reigns supreme in 2018, as phishing attacks continue to trick employees (TechRepublic)
- Ransomware surges again, as cybercrime-as-a-service becomes mainstream for crooks (ZDNet)
- The 10 most common types of malware, and how to avoid them (TechRepublic)
- Ransomware keeps its hold on your data, Verizon says (CNET)
- Ransomware: A cheat sheet for professionals (TechRepublic)