Trojan Alert – Quant Loader: Trojan for Distributing Malware

DamRaiX's post on Quant Loader

Figure 1 DamRaiX’s post on Quant Loader

Recently a brand new Trojan came into the market called Quant Loader which has been spotted on multiple Russian underground marketplaces. It has been noticed getting distributed with Locky Zepto crypto-ransomware and Pony malware.

It is considered to be a very rudimentary Trojan downloader, created by a C++ GURU known Russian cyber-criminal group called ‘C++ GURU’ also known as CPPGuru. Force point was able to confirm this relationship by discovering that the Quant Loader’s seller, “MrRaiX” (or also “DamRaiX”), in fact, is a member of the same group.

The control panel login page (Figure 2) for Quant Loader confirms this.

Quant Loader - Control Panel Login

Figure 2 Quant Loader – Control Panel Login

Even though the Trojan is new to the market, it’s already been seen used as part of an email campaign. As per Force point, the malware behaves in a similar manner to the DDoS Madness System which was also developed by CPPGuru.

Madness Pro is a DDoS bot which utilizes standard methods to be persistent on the system and evade detection. The group is also known for selling Z*Srealer information-stealing Trojan and the MBS bitcoin mining Trojan.

What is Quant Loader all about ?

Quant Loader can be purchased by anyone who is interested is using the malware. It can be used as a first stage infection (as a new malware dropper) which amazingly also is able to stealthily download more complex bits of malware.

Currently, it is widely seen deployed with Locky ransomware (Zepto variant) and the Pony campaigns. Campaigns with spam emails come with the Zip file attached which, if unzipped will dump a Windows script file (WSF) on the victim’s system. Executing this file would download Quant Loader which, after having boot persistence, downloads Pony or Locky.

Key Features of the Trojan

In the deep web and underground forums, the Trojan authors were advertising the Trojan as a brand new piece of threat which’s able to install both DLL and EXE files and escalate user privileges without any complex and aggressive techniques.

The malware provides its owner, an admin panel, which would allow the attacker to manage and control what the malware is to push on the compromised victim’s machine. Also, through the panel the attacker could target victims as per the geographical location.

Authors behind the malware also advertised that their product can limit the number of required downloads and balance downloads’ across multiple servers which would prevent them from being flagged. This would also help the users using the malware to optimize Quant Loader installs across various victims.

VirtusTotal Report

Figure 3 VirtusTotal Report

As per Force point, both DDoS Madness Pro and Quant Loader share a lot of the same code. A VirusTotal report (Figure 3) shows how the DDoS bot behaves:

As per Force Point analysis, both the malware behaves in the same manner which discredits Quant Loader author’s statement of developing the malware from scratch. Detailed analysis of the malware campaign can be seen at Force point’s portal.

Protection from malware

At the following stages of an attack using multiple measures, the attack can be prevented using updated Anti-Virus rules and advanced security monitoring solutions:

  • Stage wherein malicious e-mails associated with this attack is traversing the network using endpoint protection and SMTP agents protecting from malicious files coming through emails.
  • Stage wherein the Quant Loader, Locky Zepto, and Pony malware files are requested from an internal system – identifying and preventing outgoing connections to malicious portals (as per below mentioned Indicators of Compromise) for malware being downloaded.
  • Stage wherein all the attempts by Quant Loader and Pony to contact their C&C servers.

If you are responsible for having a cyber security strategy in place to prevent from malware, the following items will help you create security policies and protect enterprises and their customers from transcending cyber security threats.

  1. Anti-Viruses and Software Updates: For protecting computers, networks and information across servers have the latest updates of security solutions such as anti-viruses and internet security software. Up to date Web browsers, operating systems, and system applications are also one of the best defenses against Trojans and other online threats. Anti-Virus scans across endpoints and email should be scheduled every time the security solutions gets updated.
  1. Enabling traffic analysis: An Intrusion Detection Systems or Intrusion Prevention System can be a device or an application which prevents outsiders from accessing data on your private network. Operating system firewalls should be enabled and if the anti-virus solution has firewall capabilities, it is recommended to enable them to. For employees who work from home should ensure that their systems are protected by a firewall.

Indicators of Compromise

WSF Downloader Samples (SHA1)

  • d4594309ff5c94673e34f447c8a8366175e9f572
  • 67660ea4822f06618aedde3571b79674089429b8
  • 8e7d6467bb812d03a6ea422ff8aa2129abb88a77

Quant Loader Sample (SHA1)

  • 43be8c385b69dfb21bbee8e655068aa2aafb22a2

Locky Zepto Sample (SHA1)

  • ddc92ae95c68145fd5331e408cdb58dafd637821

Pony Sample (SHA1)

  • 75277bf9896f029fbabcb0f6e301d34942948a07

WSF Downloader Payload URLs (Quant Loader)

  • hxxp://abcdraw.biz/8fh34f3
  • hxxp://adasurgical.com/8fh34f3
  • hxxp://adss30.net/8fh34f3
  • hxxp://allcateringservices.in/8fh34f3
  • hxxp://ativa3.tempsite.ws/8fh34f3
  • hxxp://aycilinsaat.com/8fh34f3
  • hxxp://bangbang55.com/8fh34f3
  • hxxp://biogreentech.in/8fh34f3
  • hxxp://cardimax.com.ph/8fh34f3
  • hxxp://cbautocare.com.au/8fh34f3
  • hxxp://clickroses.com/8fh34f3
  • hxxp://craskart.com/8fh34f3
  • hxxp://dashingleather.com/8fh34f3
  • hxxp://demo.hubliclick.in/8fh34f3
  • hxxp://eaglecorp.nl/8fh34f3
  • hxxp://files.mostafaahmadi.ir/8fh34f3
  • hxxp://gift2belgaum.com/8fh34f3
  • hxxp://goldenladywedding.com/8fh34f3
  • hxxp://gunturnayeebrahminemployees.com/8fh34f3
  • hxxp://herosoft.biz/8fh34f3
  • hxxp://hostit.co.in/8fh34f3
  • hxxp://iandiinternational.com/8fh34f3
  • hxxp://jmetalloysllp.com/8fh34f3
  • hxxp://kitsgnt.com/8fh34f3
  • hxxp://mylespollard.com.au/8fh34f3
  • hxxp://partyeazy.com/8fh34f3
  • hxxp://perfectfixuae.com/8fh34f3
  • hxxp://platformarchitects.com.au/8fh34f3
  • hxxp://platforms-root-technologies.com/8fh34f3
  • hxxp://pmlojistik.com/8fh34f3
  • hxxp://samssara.com/8fh34f3
  • hxxp://sasmgs.org/8fh34f3
  • hxxp://scpolytechnic.com/8fh34f3
  • hxxp://site1382371826.provisorio.ws/8fh34f3
  • hxxp://sowhatresearch.com.au/8fh34f3
  • hxxp://syamasahithi.com/8fh34f3
  • hxxp://synergyconnect.in/8fh34f3
  • hxxp://synergywaterproofing.com.au/8fh34f3
  • hxxp://Ungelie.com/8fh34f3
  • hxxp://utsavi.net/8fh34f3
  • hxxp://vajrammatrimony.com/8fh34f3
  • hxxp://wamasoftware.com/8fh34f3
  • hxxp://websamrat.in/8fh34f3
  • hxxp://www.alfajerdecor.com/8fh34f3
  • hxxp://www.ausaf.pk/8fh34f3
  • hxxp://www.jmetalloysllp.com/8fh34f3
  • hxxp://www.mehrabtech.ae/8fh34f3
  • hxxp://www.pstimes.com/8fh34f3
  • hxxp://www.rajashekharkubasad.com/8fh34f3
  • hxxp://www.villakeratea.it/8fh34f3
  • hxxp://yesiloglugrup.com/8fh34f3

Quant Loader C&Cs

  • hxxp://kruibhez.ws
  • hxxp://ufqeatci.org

Locky Zepto & Pony Payload URLs

  • hxxp://supperuploadtestspeed.ws/1.dll
  • hxxp://factumtech.com/p.exe
  • hxxp://shagunproperty.com/1.dll

Pony C&C

  • hxxp://supperuploadtestspeed.ws

Cyber criminals are transcending their approach to distributing malware across enterprises. Within two weeks of the Quant Loader malware being released, it was made available distributing Locy and Pony malware. Due to multiple scrutinies’s it is expected that the malware will be improved in the future.

It is also recommended to download anti-malware solutions from Microsoft such as Malicious Software Removal Tool. This tool will scan your system for the malware and effectively remove it for you. You can also use similar tools from other reputable developers, such as the Kaspersky Virus Removal Tool and the Norton Power Eraser.

Leave a Reply