An onrush of attacks using phishing, social engineering, exploits, and obfuscation are being used to spread a Quant Loader Trojan capable of distributing ransomware and password stealers.
The Information security training researchers at Barracuda last month began spotting malicious zipped Microsoft internet shortcut files with a “. url” file extension claiming to be billing documents but actually lead to remote script files.
The professionals spotted the attack in a series of mini-campaigns, each of which lasted less than a day and used a single domain serving malicious script files over Samba and a single variant of Quant being distributed from a handful of domains. The attacks also utilized an email content and file name pattern with some emails having no text content and only a subject line, Information security training experts said.
Rod Soto, Information security training analyst at JASK, told the attack matches current observations of other malicious campaigns where scripting languages are being used to execute exploitation and infection payloads and bypass standard browser protections.
“Scripting languages are perceived as less dangerous than actual files, as they are usually trusted by the operating system and operate under current user rights, so it takes deeper inspection into the actual code in order to assess its maliciousness,” said Soto. “These types of attacks are growing in popularity and are also called fileless malware.”