A new malware tool that enables cybercriminal actors to build malicious Windows shortcut (.LNK) files has been spotted for sale on cybercrime forums. Dubbed Quantum Lnk Builder, the software makes it possible to spoof any extension and choose from over 300 icons, not to mention support UAC and Windows SmartScreen bypass as well as “multiple payloads per .LNK” file. Also offered are capabilities to generate .HTA and disk image (.ISO) payloads.
Quantum Builder is available for lease at different price points: €189 a month, €355 for two months, €899 for six months, or as a one-off lifetime purchase for €1,500.
“.LNK files are shortcut files that reference other files, folders, or applications to open them,” Cyble researchers said in a report. “The [threat actor] leverages the .LNK files and drops malicious payloads using LOLBins [living-off-the-land binaries].”
Early evidence of malware samples using Quantum Builder in the wild is said to date back to May 24, masquerading as harmless-looking text files (“test.txt.lnk”).
“By default, Windows hides the .LNK extension, so if a file is named as file_name.txt.lnk, then only file_name.txt will be visible to the user even if the show file extension option is enabled,” the researchers said. “For such reasons, this might be an attractive option for TAs, using the .LNK files as a disguise or smokescreen.” Read more: https://bit.ly/3OIBmRr
You can also read this: VMware Releases Patches for New Vulnerabilities Affecting Multiple Products