Researchers are warning of a new email phishing campaign that downloads and launches the Quant Loader trojan, capable of distributing ransomware and stealing passwords.
Barracuda on Tuesday said it has been tracking emails containing zipped Microsoft internet shortcut files with a “.url” file extension sent to millions of inboxes via a phishing campaign over the past month. If files are executed a script is downloaded and then drops the Quant Loader malware onto the targeted system.
“This is a more sophisticated approach than usual… it might be a way to prepare for a later attack,” said Fleming Shi, SVP of Advanced Technology Engineering at Barracuda in an interview with Threatpost.
Shi said victims are tricked into clicking unfamiliar file extensions in emails, which look like billing documents. Emails have a file name pattern, with some having no text content and simply a subject line.
“These shortcut files use a variation on the CVE-2016-3353 proof-of-concept, containing links to JavaScript files (and more recently Windows Script Files). However, in this instance the URL was prefixed with ‘file://’ rather than ‘
http://’ which fetches them (scripts) over Samba rather than through a web browser,” wrote researchers in
a technical blog outlining the research.
..........
..........
..........
