Cybersecurity researchers have shed light on a potent, threatening tool named the Quantum Builder (Quantum Software), that allows threat actors to create weaponized .lnk files. LNKs are shortcut files on Windows systems that can carry corrupted code. Threat actors can abuse this to exploit legitimate tools found on the breached system, such as PowerShell or MSHTA (used to execute Microsoft HTML Application files).
Details about the Quantum Builder were released in a report released by researchers. They discovered the threat being offered for sale to potential threat actors. The price was set at €189 per month, €335 for two months, and €899 for six months. For lifetime access, the would-be criminals would need to make a single payment of €1,500. The builder comes with a graphical interface and an expansive set of options and parameters to facilitate the creation of corrupted LNKs.
Furthermore, Quantum is advertised as being fully undetectable, which would mean that no anti-malware engines or cybersecurity protection mechanisms are able to flag it as potentially suspicious or outright threatening. In addition, it can bypass the Windows UAC (User Account Control), as well as Windows Smartscreen. The threat also has the ability to use a single LNK file to load multiple threatening payloads. Apart from LNKs, the Quantum Builder allows threat actors to create HTA files and even ISO archives, which are often used as means to package all of the harmful components inside the disk image.
The researchers discovered another distinctive feature of the Quantum Builder. Apparently, the threat could potentially allow the attackers to perform arbitrary code execution via a dogwalk n-day exploit. The vulnerability affects the Microsoft Support Diagnostic Tool (MSDT).