Researchers from Cyble have discovered a new tool for creating malicious LNK files called Quantum, which has a graphical interface and offers convenient file creation using a large set of options and parameters.
Quantum can be purchased for €1500 or rented for:
- €189 per month;
- €335 euros for 2 months;
- €899 euros for 6 months;
Quantum offers the following features:
- disguise under more than 300 icons of various programs;
- substitution of file extensions ;
- bypassing User Account Control (user Account Control, UAC);
- bypassing Windows Smartscreen ;
- the ability to combine multiple payloads into one LNK file;
- hiding after execution;
- start or delayed execution.
According to the authors of Quantum, Quantum files are not determined by the antivirus and security mechanisms of the OS. Quantum also offers the ability to create HTA files (HTML Application) and ISO archives, which are commonly used in attacks using LNK.
Another interesting feature of Quantum is the use of the DogWalk vulnerability in the Microsoft Diagnostic Tool (Microsoft Support Diagnostic Tool, MSDT), which executes arbitrary code using a file .diagcab. Moreover, Cyble’s analysis of recent LNK samples showed that the well-known APT group Lazarus can use Quantum for its attacks.
The use of LNK files is effective for intruders, so the trend towards the spread of LNK files will continue. Users are advised to scan all files they receive by email with antivirus software.