A recent spate of attacks using phishing, social engineering, exploits, and obfuscation are being used to spread a Quant Loader trojan capable of distributing ransomware and password stealers.
Researchers at Barracuda last month began spotting malicious zipped Microsoft internet shortcut files with a “.url” file extension claiming to be billing documents but actually lead to remote script files.
Researchers spotted the attack in a series of mini-campaigns, each of which lasted less than a day and used a single domain serving malicious script files over Samba and a single variant of Quant being distributed from a handful of domains. The attacks also utilized an email content and file name pattern with some emails having no text content and only a subject line, researchers said.
Rod Soto, director of security research at JASK, told SC Media the attack matches current observations of other malicious campaigns where scripting languages are being used to execute exploitation and infection payloads and bypass standard browser protections.
“Scripting languages are perceived as less dangerous than actual files, as they are usually trusted by the operating system and operate under current user rights, so it takes deeper inspection into the actual code in order to assess its maliciousness," said Soto. "These types of attacks are growing in popularity and are also called fileless malware.”